View Issue Details

IDProjectCategoryView StatusLast Update
15690Bug reports[All Projects] Securitypublic2020-01-15 15:37
ReporterDenisChenu Assigned ToDenisChenu  
PrioritynoneSeveritymajor 
Status testingResolutionfixed 
Product Version4.0.0-RC13 
Target VersionFixed in Version 
Summary15690: User with XSS enable can add/update scripts
Description

User with XSS enable can add script

Steps To Reproduce

Create an non super admin user, create a survey

Try <script>alert('XSS')</script> in question->text : OK : filtered
add alert('XSS') : in question->script : allowed

Additional Information

This need to be checked
Allow to see
Disallowed to update existing script. Then only superadmin can update script (delete script still update script)

This need to be fixed in import, with remote control etc …

@cdrorin : after checking : you can assign it to me if this feature is OK too : https://bugs.limesurvey.org/view.php?id=15096#c54731

TagsNo tags attached.
Complete LimeSurvey version number (& build)4.0.0-RC13
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database & DB-Versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Relationships

related to 15096 assignedDenisChenu Feature requests XSS for super-admin too 
related to 15693 testingcdorin Feature requests Allow simple user to update script with XSS enable 
related to 15702 new Bug reports Script text field should be read-only when user is not allowed to add scripts 

Activities

DenisChenu

DenisChenu

2020-01-03 15:24

developer   ~55125

https://github.com/LimeSurvey/LimeSurvey/pull/1358

ollehar

ollehar

2020-01-08 13:26

administrator   ~55150

How do I edit question->script?

ollehar

ollehar

2020-01-08 13:41

administrator   ~55151

Found, setting in profile.

ollehar

ollehar

2020-01-08 13:51

administrator   ~55152

Am I supposed to be able to run "alert('XSS')" in the admin interface via the script text field?

ollehar

ollehar

2020-01-08 13:52

administrator   ~55153

This bug report is not idiot safe :(

DenisChenu

DenisChenu

2020-01-08 14:54

developer  

DenisChenu

DenisChenu

2020-01-08 14:57

developer   ~55156

This bug report is not idiot safe :(

LimeSurvey dev are not idiot

ollehar

ollehar

2020-01-08 14:59

administrator   ~55157

LimeSurvey dev are not idiot

I've just proven you wrong. XD

Why is alert("XSS"); a problem? It's not run anywhere in the admin interface, at least not as I can tell.

DenisChenu

DenisChenu

2020-01-08 15:11

developer   ~55158

Last edited: 2020-01-08 15:12

View 2 revisions

Same for Cross-site-scripting in question text : the objective is to disable to add suspicous HTML inside public survey

https://manual.limesurvey.org/Optional_settings#Security

filterxsshtml: This setting enables the filtering of suspicious html tags located within surveys, groups, and questions and answer texts in the administration interface. Leave this to 'false' only if you absolutely trust the users you created for the administration of LimeSurvey and if you want to allow these users to be able to use Javascript, Flash Movies, etc..

If you want to disable XSS in question text => you want to totally disable user to add any script : it's not only my opinion (have client).

Even superadmin must not be allowed top add XSS in admin. See https://github.com/LimeSurvey/LimeSurvey/commit/323c6f2f0bfdd6eb1c6fe7dea16b2af503806d2a#diff-813c0e5c1b7f9c5b0239989343f8f282 for example.

ollehar

ollehar

2020-01-08 15:24

administrator   ~55160

OK, thanks for the info.

ollehar

ollehar

2020-01-08 16:45

administrator   ~55163

Last edited: 2020-01-08 16:46

View 2 revisions

Fix pushed to branch bug/15690-user-with-xss-filter-enabled-can-add-script. Please review.

DenisChenu

DenisChenu

2020-01-08 17:33

developer   ~55164

https://github.com/LimeSurvey/LimeSurvey/commit/e27df930c8b0d4a8208c45836369a72c9883c58b#commitcomment-36711897

because alredy fixed in https://github.com/LimeSurvey/LimeSurvey/pull/1358

DenisChenu

DenisChenu

2020-01-08 17:56

developer   ~55165

xss filtering must be moved to LSUser because related to user.

I prefer usage of beforeSave than a rules. If it's a rules :

  1. create LSYii_NoChangeValidator.php (or another name)
  2. array('script', 'LSYii_NoChangeValidator'), here : https://github.com/LimeSurvey/LimeSurvey/commit/e27df930c8b0d4a8208c45836369a72c9883c58b#diff-be7262c5fa70e7a4d50a91e7a6a23894R81
DenisChenu

DenisChenu

2020-01-09 17:20

developer   ~55174

@ollehar : OK for before save ?

We can not create a LSYii_NoChangeValidator : because Validator get only : attribute and value but not the model. And we need model.

DenisChenu

DenisChenu

2020-01-10 07:59

developer   ~55177

https://github.com/LimeSurvey/LimeSurvey/pull/1364

ollehar

ollehar

2020-01-10 10:30

administrator   ~55180

We can not create a LSYii_NoChangeValidator : because Validator get only : attribute and value but not the model. And we need model.

You can send the model as an argument to the validator.

ollehar

ollehar

2020-01-10 10:30

administrator   ~55181

The validator also has $object, from which you can use get_class().

ollehar

ollehar

2020-01-10 10:49

administrator   ~55183

Not saying using validator is the best way, just saying it's probably possible.

DenisChenu

DenisChenu

2020-01-10 11:44

developer   ~55187

Last edited: 2020-01-10 11:45

View 2 revisions

Not saying using validator is the best way, just saying it's probably possible.

I create a global solution, working for script but surely for other LSYii_NoUpdateValidator.php

DenisChenu

DenisChenu

2020-01-15 15:37

developer   ~55291

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=29355

Related Changesets

LimeSurvey: master 4774b185

2020-01-10 15:44:50

DenisChenu


Committer: ollehar Details Diff
Fixed issue 15690: User with XSS enable can add/update scripts (#1364)

* Fixed issue 15690: User with XSS enable can add/update scripts
Affected Issues
15690
mod - application/controllers/admin/questionedit.php Diff File
mod - application/core/LSWebUser.php Diff File
add - application/core/LSYii_NoUpdateValidator.php Diff File
mod - application/core/LSYii_Validators.php Diff File
mod - application/models/QuestionL10n.php Diff File

Issue History

Date Modified Username Field Change
2019-12-30 18:40 DenisChenu New Issue
2019-12-30 18:40 DenisChenu Relationship added related to 15096
2020-01-03 15:24 DenisChenu Note Added: 55125
2020-01-07 17:29 DenisChenu Relationship added related to 15693
2020-01-08 13:26 ollehar Note Added: 55150
2020-01-08 13:41 ollehar Note Added: 55151
2020-01-08 13:51 ollehar Note Added: 55152
2020-01-08 13:52 ollehar Note Added: 55153
2020-01-08 14:54 DenisChenu File Added: Capture d’écran du 2020-01-08 14-54-18.png
2020-01-08 14:54 DenisChenu File Added: Capture d’écran du 2020-01-08 14-54-26.png
2020-01-08 14:57 DenisChenu Note Added: 55156
2020-01-08 14:59 ollehar Note Added: 55157
2020-01-08 15:11 DenisChenu Note Added: 55158
2020-01-08 15:12 DenisChenu Note Edited: 55158 View Revisions
2020-01-08 15:24 ollehar Note Added: 55160
2020-01-08 16:45 ollehar Note Added: 55163
2020-01-08 16:45 ollehar Assigned To => DenisChenu
2020-01-08 16:45 ollehar Status new => testing
2020-01-08 16:46 ollehar Note Edited: 55163 View Revisions
2020-01-08 17:33 DenisChenu Note Added: 55164
2020-01-08 17:56 DenisChenu Note Added: 55165
2020-01-09 17:18 DenisChenu Status testing => assigned
2020-01-09 17:20 DenisChenu Note Added: 55174
2020-01-10 07:59 DenisChenu Assigned To DenisChenu => ollehar
2020-01-10 07:59 DenisChenu Status assigned => testing
2020-01-10 07:59 DenisChenu Note Added: 55177
2020-01-10 10:30 ollehar Note Added: 55180
2020-01-10 10:30 ollehar Note Added: 55181
2020-01-10 10:49 ollehar Note Added: 55183
2020-01-10 11:44 DenisChenu Note Added: 55187
2020-01-10 11:45 DenisChenu Note Edited: 55187 View Revisions
2020-01-10 16:20 DenisChenu Relationship added related to 15702
2020-01-15 15:37 ollehar Changeset attached => LimeSurvey master 4774b185
2020-01-15 15:37 DenisChenu Note Added: 55291
2020-01-15 15:37 DenisChenu Assigned To ollehar => DenisChenu
2020-01-15 15:37 DenisChenu Resolution open => fixed