View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 254
IDProjectCategoryView StatusDate SubmittedLast Update
14713Bug reportsSecuritypublic2019-04-02 08:272019-04-02 16:43
Reporterbewi Assigned ToDenisChenu  
PrioritynoneSeveritypartial_block 
Status closedResolutionfixed 
Product Version3.16.x 
Fixed in Version3.17.x 
Summary14713: Persistent XSS in user group management
Description

It is possible to permanently store malware in the application and an admin with low privileges can infect a SuperAdmin.

Any user or admin who can create a new user group or who can edit a user group can infiltrate malicious code in the "Description" input field.
As soon as an admin logs in and opens the tab "Configuration/Create/edit user groups", the malicious code is executed.

Steps To Reproduce

see screenshots:
Limesurvey - 01 - editing user group.png
insert any HTML code in the description field. e.g. a script-tag with javascript code (here just a javascript call to alert())

Limesurvey - 02 - user group list.png
in the moment the editing is ended and the listing of all user groups should be shown. the javascript is executed

Limesurvey - 03 - user group list.png
after acknowlwding the alert() the 'normal' listing is shown

TagsNo tags attached.
Attached Files
LimeSurvey - 01 - editing user group.png (33,796 bytes)   
LimeSurvey - 01 - editing user group.png (33,796 bytes)   
LimeSurvey - 02 - user group list.png (57,916 bytes)   
LimeSurvey - 02 - user group list.png (57,916 bytes)   
LimeSurvey - 03 - user group list.png (35,955 bytes)   
LimeSurvey - 03 - user group list.png (35,955 bytes)   
Bug heat254
Complete LimeSurvey version number (& build)Version 3.16.1+190314
I will donate to the project if issue is resolvedNo
Browserfirefox
Database type & versionirrelevant
Server OS (if known)irrelevant
Webserver software & version (if known)irrelevant
PHP Versionirrelevant

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2019-04-02 09:19

developer   ~51264

Thanks for reporting
It's OK for group name ?
DenisChenu

DenisChenu

2019-04-02 10:15

developer   ~51266

https://github.com/LimeSurvey/LimeSurvey/commit/cb81914c361f4cb070b217282522f51fed4dc8be
bewi

bewi

2019-04-02 10:18

reporter   ~51267

the group name seems to be OK. so the field is much shorter the payload would be very short.

you might need an general approach to show all fields in a safe way (we had a pen-test two years ago, and there also was an XSS error).
DenisChenu

DenisChenu

2019-04-02 10:30

developer   ~51268

Here this part use a own function, only used for it … don't understand why since Yii have all
Someone can always for a column as raw, but if a dev made this (without good reason and wahy he do it) : the dev made an error.

We have :

  • raw : not update : allow XSS , must use with care
  • text : encoded , used by default (must update to another with good reason)
  • html : show html but filtered
  • some other but not dedicated to text :)

Issue History

Date Modified Username Field Change
2019-04-02 08:27 bewi New Issue
2019-04-02 08:27 bewi File Added: LimeSurvey - 01 - editing user group.png
2019-04-02 08:27 bewi File Added: LimeSurvey - 02 - user group list.png
2019-04-02 08:27 bewi File Added: LimeSurvey - 03 - user group list.png
2019-04-02 09:18 DenisChenu Assigned To => DenisChenu
2019-04-02 09:18 DenisChenu Status new => assigned
2019-04-02 09:18 DenisChenu View Status public => private
2019-04-02 09:19 DenisChenu Note Added: 51264
2019-04-02 09:54 DenisChenu Summary Persistent XSS => Persistent XSS in user group management
2019-04-02 10:15 DenisChenu Status assigned => resolved
2019-04-02 10:15 DenisChenu Resolution open => fixed
2019-04-02 10:15 DenisChenu Fixed in Version => 3.16.x
2019-04-02 10:15 DenisChenu Note Added: 51266
2019-04-02 10:15 DenisChenu View Status private => public
2019-04-02 10:18 bewi Note Added: 51267
2019-04-02 10:30 DenisChenu Note Added: 51268
2019-04-02 16:43 ollehar Status resolved => closed
2019-04-02 16:43 ollehar Fixed in Version 3.16.x => 3.17.x