View Issue Details

This bug affects 1 person(s).
 262
IDProjectCategoryView StatusLast Update
15141Bug reportsSecuritypublic2021-03-15 15:39
Reporterma77ie Assigned Togabrieljenik  
PrioritynormalSeveritypartial_block 
Status closedResolutionfixed 
Product Version3.17.x 
Summary15141: Limesurvey uses an out-of-date version of bootstrap.min.js that has security vulnerabilities
Description

Limesurvey uses an out-of-date version of bootstrap.min.js (version 3.3.7) which has security vulnerabilities ( https://www.cvedetails.com/vulnerability-list/vendor_id-19522/product_id-51406/version_id-286029/Getbootstrap-Bootstrap-3.3.7.html ) and should be upgraded to the latest version to fix these vulnerabilities.

Steps To Reproduce

Viewing source of the home page shows the line including bootstrap.min.js:-

<script type="text/javascript" src="/surveys/tmp/assets/bd9506bc/bootstrap.min.js" class="headScriptTag"></script>

The start of bootstrap.min.js itself shows the version number:-

/*!

TagsNo tags attached.
Bug heat262
Complete LimeSurvey version number (& build)3.17.9+190731
I will donate to the project if issue is resolvedNo
Browser
Database type & versionMySQL 5.7.20
Server OS (if known)
Webserver software & version (if known)
PHP Version7.0.33

Users monitoring this issue

DenisChenu

Activities

markusfluer

markusfluer

2019-08-08 16:41

administrator   ~53152

Since the switch to Bootstrap v4 has a potentially breaking impact on the software, this will not be done for LimeSurvey version 3 or 4, but rather for LimeSurvey version 5, planned for 2020.

The mentioned XSS vulnerabilities are all dependent on an injection of code into specific target attributes on HTML-elements and thus very hard to do for non-administrative users in LimeSurvey.
For any of the mentioned vulnerabilities you can create an actual exploit for, we will work on fixing them accordingly. If necessary with an addition to core Bootstrap, or jQuery.

DenisChenu

DenisChenu

2019-08-19 10:13

developer   ~53190

Last edited: 2021-02-04 13:04

@markusfluer : https://github.com/twbs/bootstrap/releases/tag/v3.4.1
Have the fix, the update can be done without broke BS compatibility

Security: Fixed an XSS vulnerability (CVE-2019-8331) in our tooltip and popover plugins by implementing a new HTML sanitizer

DenisChenu

DenisChenu

2020-05-11 08:40

developer   ~57648

Last edited: 2021-02-04 13:04

Markus quit mantis

gabrieljenik

gabrieljenik

2021-03-01 14:08

manager   ~62574

This has already been like this since Aug 2019:
https://github.com/LimeSurvey/LimeSurvey/commit/a85ec977be0bce3433dc1363dde5ee65e34fce82

DenisChenu

DenisChenu

2021-03-02 10:15

developer   ~62601

No

[shnoulle@poledra 3LTS]$ grep -r &quot;Bootstrap v3&quot; *
application/extensions/bootstrap/js/bootstrap.min.js: * Bootstrap v3.3.5 (http://getbootstrap.com)
application/extensions/bootstrap/js/bootstrap.js: * Bootstrap v3.3.5 (http://getbootstrap.com)

Else : all variations are from 3.3.7 , but no security issue in CSS file.

gabrieljenik

gabrieljenik

2021-03-04 16:50

manager   ~62718

I don't think those files are actually being used.
That's part of the yiistrap extenson, whicch provides helpers as TbHtml.
That helper is used a lot, but only the php part, not the rest.

I have tried chaging the name of those files, and no error appeared.
(I haven't tested the whole system).

Suggested approach: Create a PR based on dev where we remove those files.
Check what's the outcome.

What do you think?

DenisChenu

DenisChenu

2021-03-04 17:43

developer   ~62732

Suggested approach: Create a PR based on dev where we remove those files.

:+1:

DenisChenu

DenisChenu

2021-03-04 17:44

developer   ~62733

Maybe in 3lts too ?

And a mini update on extensions/bootstrap to remove all registerScriptFile ?

gabrieljenik

gabrieljenik

2021-03-10 15:56

manager   ~63003

https://github.com/LimeSurvey/LimeSurvey/pull/1798 for lts

JHoeck

JHoeck

2021-03-15 12:32

reporter   ~63360

Works fine. PR merged into LTS.

gabrieljenik

gabrieljenik

2021-03-15 12:34

manager   ~63361

Fix committed to 3.x-LTS branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&amp;id=31326

gabrieljenik

gabrieljenik

2021-03-15 13:30

manager   ~63362

Honestly, this was a test as to double check if those removed files are used or not.
Not sure if it is the best to remove those files.

If removing them is fine, then we should review also on LS4.
Looking forward on your comments and directions.

lime_release_bot

lime_release_bot

2021-03-15 15:39

administrator   ~63382

Fixed in Release 3.25.18+210316

Related Changesets

LimeSurvey: 3.x-LTS dc679f77

2021-03-15 12:34:53

gabrieljenik


Committer: GitHub Details Diff
Fixed issue 15141: Limesurvey uses an out-of-date version of bootstrap.min.js that has security vulnerabilities (#1798)

Updated bootstrap files.
Affected Issues
15141
mod - application/extensions/bootstrap/components/TbApi.php Diff File
rm - application/extensions/bootstrap/js/bootstrap.js Diff File
rm - application/extensions/bootstrap/js/bootstrap.min.js Diff File

Issue History

Date Modified Username Field Change
2019-08-07 14:23 ma77ie New Issue
2019-08-08 16:41 markusfluer Note Added: 53152
2019-08-08 16:42 markusfluer Assigned To => markusfluer
2019-08-08 16:42 markusfluer Status new => feedback
2019-08-19 10:13 DenisChenu Note Added: 53190
2019-08-19 10:17 DenisChenu Issue Monitored: DenisChenu
2020-05-11 08:40 DenisChenu Assigned To markusfluer => cdorin
2020-05-11 08:40 DenisChenu Status feedback => new
2020-05-11 08:40 DenisChenu Note Added: 57648
2021-02-04 13:04 cdorin Assigned To cdorin =>
2021-02-04 13:04 cdorin Priority none => normal
2021-02-04 13:04 cdorin Status new => confirmed
2021-02-04 13:04 cdorin Sync to Zoho Project => |Yes|
2021-03-01 09:33 c_schmitz Assigned To => gabrieljenik
2021-03-01 09:33 c_schmitz Status confirmed => assigned
2021-03-01 14:08 gabrieljenik Note Added: 62574
2021-03-02 10:15 DenisChenu Note Added: 62601
2021-03-04 16:50 gabrieljenik Note Added: 62718
2021-03-04 17:43 DenisChenu Note Added: 62732
2021-03-04 17:44 DenisChenu Note Added: 62733
2021-03-10 15:56 gabrieljenik Note Added: 63003
2021-03-15 12:32 JHoeck Status assigned => resolved
2021-03-15 12:32 JHoeck Resolution open => fixed
2021-03-15 12:32 JHoeck Note Added: 63360
2021-03-15 12:34 gabrieljenik Changeset attached => LimeSurvey 3.x-LTS dc679f77
2021-03-15 12:34 gabrieljenik Note Added: 63361
2021-03-15 13:30 gabrieljenik Note Added: 63362
2021-03-15 15:39 lime_release_bot Sync to Zoho Project Yes => |Yes|
2021-03-15 15:39 lime_release_bot Note Added: 63382
2021-03-15 15:39 lime_release_bot Status resolved => closed
2021-08-03 07:35 guest Bug heat 260 => 262