View Issue Details

IDProjectCategoryView StatusLast Update
14737Bug reports[All Projects] Securitypublic2019-05-29 11:14
ReporterbewiAssigned ToDenisChenu 
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version3.17.x 
Target VersionFixed in Version3.17.x 
Summary14737: XSS with file upload
Description

If you define a question of the type "file upload" and then activate "title" and "comments" under file metadata, a survey participant can later insert HTML code in these input fields. At this point the survey participant can infect himself. The infiltrated HTML code is displayed correctly in the backend but is not executed.
This code also may be executed after export of the survey results.

Recommendation: server-side validation and masking of all input parameters.

TagsNo tags attached.
Complete LimeSurvey version number (& build)3.17.0
I will donate to the project if issue is resolvedNo
Browser
Database & DB-Version*
Server OS (if known)
Webserver software & version (if known)
PHP Version*

Relationships

duplicate of 12234 closedDenisChenu XSS in browse response 
has duplicate 14947 closedDenisChenu Question upload plugin, XSS during title, comment form filling 

Activities

DenisChenu

DenisChenu

2019-04-04 09:54

developer   ~51336

Last edited: 2019-04-04 09:54

View 2 revisions

This code also may be executed after export of the survey results.

You mean in spreadsheet ? Not our proble . Like all text input in fact.

Recommendation: server-side validation and masking of all input parameters.

No server side : it's a text, but must be htmlecoded when user look at it : he enter <strong>, he must see <strong>

DenisChenu

DenisChenu

2019-04-04 15:18

developer   ~51339

I'm really tired … why something fixed on old 2.6 come back again …

DenisChenu

DenisChenu

2019-04-04 15:26

developer   ~51341

https://github.com/LimeSurvey/LimeSurvey/commit/cadecaa51e1e0b1d45f2ca7e89a854ffd2e6bb77

Mazi

Mazi

2019-04-05 09:18

partner   ~51364

Thanks for continuous fixing, Denis!

c_schmitz

c_schmitz

2019-04-30 09:13

administrator   ~51682

Fixed in version 3.17.3

Issue History

Date Modified Username Field Change
2019-04-04 07:50 bewi New Issue
2019-04-04 09:54 DenisChenu Note Added: 51336
2019-04-04 09:54 DenisChenu Note Edited: 51336 View Revisions
2019-04-04 09:55 DenisChenu Assigned To => DenisChenu
2019-04-04 09:55 DenisChenu Status new => assigned
2019-04-04 15:17 DenisChenu Relationship added duplicate of 12234
2019-04-04 15:18 DenisChenu Note Added: 51339
2019-04-04 15:26 DenisChenu Status assigned => resolved
2019-04-04 15:26 DenisChenu Resolution open => duplicate
2019-04-04 15:26 DenisChenu Fixed in Version => 3.17.x
2019-04-04 15:26 DenisChenu Note Added: 51341
2019-04-04 15:27 DenisChenu Resolution duplicate => fixed
2019-04-05 09:18 Mazi Note Added: 51364
2019-04-30 09:13 c_schmitz Note Added: 51682
2019-04-30 09:13 c_schmitz Status resolved => closed
2019-05-29 11:14 DenisChenu Relationship added has duplicate 14947