View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 262
IDProjectCategoryView StatusDate SubmittedLast Update
14737Bug reportsSecuritypublic2019-04-04 07:502019-05-29 11:14
Reporterbewi Assigned ToDenisChenu  
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version3.17.x 
Fixed in Version3.17.x 
Summary14737: XSS with file upload
Description

If you define a question of the type "file upload" and then activate "title" and "comments" under file metadata, a survey participant can later insert HTML code in these input fields. At this point the survey participant can infect himself. The infiltrated HTML code is displayed correctly in the backend but is not executed.
This code also may be executed after export of the survey results.

Recommendation: server-side validation and masking of all input parameters.

TagsNo tags attached.
Bug heat262
Complete LimeSurvey version number (& build)3.17.0
I will donate to the project if issue is resolvedNo
Browser
Database type & version*
Server OS (if known)
Webserver software & version (if known)
PHP Version*

Relationships

Relationship GraphDependency Graph
duplicate of 12234 closedDenisChenu XSS in browse response 
has duplicate 14947 closedDenisChenu Question upload plugin, XSS during title, comment form filling 

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2019-04-04 09:54

developer   ~51336

Last edited: 2019-04-04 09:54

This code also may be executed after export of the survey results.

You mean in spreadsheet ? Not our proble . Like all text input in fact.

Recommendation: server-side validation and masking of all input parameters.

No server side : it's a text, but must be htmlecoded when user look at it : he enter <strong>, he must see

DenisChenu

DenisChenu

2019-04-04 15:18

developer   ~51339

I'm really tired … why something fixed on old 2.6 come back again …
DenisChenu

DenisChenu

2019-04-04 15:26

developer   ~51341

https://github.com/LimeSurvey/LimeSurvey/commit/cadecaa51e1e0b1d45f2ca7e89a854ffd2e6bb77
Mazi

Mazi

2019-04-05 09:18

updater   ~51364

Thanks for continuous fixing, Denis!
c_schmitz

c_schmitz

2019-04-30 09:13

administrator   ~51682

Fixed in version 3.17.3

Issue History

Date Modified Username Field Change
2019-04-04 07:50 bewi New Issue
2019-04-04 09:54 DenisChenu Note Added: 51336
2019-04-04 09:54 DenisChenu Note Edited: 51336
2019-04-04 09:55 DenisChenu Assigned To => DenisChenu
2019-04-04 09:55 DenisChenu Status new => assigned
2019-04-04 15:17 DenisChenu Relationship added duplicate of 12234
2019-04-04 15:18 DenisChenu Note Added: 51339
2019-04-04 15:26 DenisChenu Status assigned => resolved
2019-04-04 15:26 DenisChenu Resolution open => duplicate
2019-04-04 15:26 DenisChenu Fixed in Version => 3.17.x
2019-04-04 15:26 DenisChenu Note Added: 51341
2019-04-04 15:27 DenisChenu Resolution duplicate => fixed
2019-04-05 09:18 Mazi Note Added: 51364
2019-04-30 09:13 c_schmitz Note Added: 51682
2019-04-30 09:13 c_schmitz Status resolved => closed
2019-05-29 11:14 DenisChenu Relationship added has duplicate 14947