19355: HTML Injection - LimeSurvey bugs and feature requests

This bug affects 1 person(s).

256

ID	Project	Category	View Status	Date Submitted	Last Update

19355	Bug reports	Security	public	2024-01-18 08:51	2024-01-18 10:29

Reporter	saimson1	Assigned To	DenisChenu
Priority	none	Severity	text
Status	closed	Resolution	no change required
Product Version	5.6.x

Summary	19355: HTML Injection
Description	Issue Background: HTML injection, also known as cross-site scripting (XSS), is a security vulnerability that allows an attacker to inject malicious scripts into a web application. These scripts can then be executed by other users who view the affected page. HTML injection can have serious consequences, including theft of sensitive information, session hijacking, and defacement of websites. Issue: During the assessment, I observed that the application fails to perform proper client and server side input senitization and validations in "Survey Title" field while creating the survey. For instance, we i was able to insert the HTML payload in the "Survey Title" field which got reflected in the preview page of the survey. Thereby it is possible for me to inject any kind of HTML payload into the field which may cause executing the XSS payloads as well that can lead to stealing the cookie and taking over the user account. POC is in attached file.
Steps To Reproduce	Steps to reproduce Login into the application using the valid credentials. Click on Create Survey button under the menu. In the Survey Title field insert the HTML payload "hellosaim" as mentioned. Now click on the create survey button at the bottom. Expected result The page will redirect us to the survey dashboard. There click on to the preview button to see the result. After clicking, on preview the page should show us the underling string "saim" as inserted. Actual result In the result we can see that our HTML payload got triggered in the preview page as expected. observe that the page the under line tag is reflecting in string "saim".
Additional Information	Set as public : no need to be in private
Tags	No tags attached.
Attached Files	Lime Survey Web Application Penetration Testing - Issue Log 001.xlsx (503,551 bytes)

Bug heat	256
Complete LimeSurvey version number (& build)	LimeSurvey Community Edition Version 5.3.32+220817
I will donate to the project if issue is resolved	No
Browser	Firefox
Database type & version	Unknown
Server OS (if known)	Linux
Webserver software & version (if known)
PHP Version	Php

User List	There are no users monitoring this issue.

DenisChenu 2024-01-18 09:13 developer ~79197 Last edited: 2024-01-18 09:14	Login into the application using the valid credentials. Can you confirm you use a superadmin account ? https://manual.limesurvey.org/Optional_settings/en#Security filterxsshtml: This setting enables the filtering of suspicious html tags located within surveys, groups, and questions and answer texts in the administration interface. Leave this to 'false' only if you absolutely trust the users you created for the administration of LimeSurvey and if you want to allow these users to be able to use Javascript, Flash Movies, etc.. The super admins never have their HTML filtered. The default value can be overridden in the global settings dialog or edited in config.php. PS : `hello<u>saim</u>` are not XSS, for non superadmin : we sanitize HTML for script.

DenisChenu 2024-01-18 09:26 developer ~79199	I'm using the standersd user to create the survey, not the superadmin account. Standard user are superadmin also the vulnerability is about HTML injection not Cross-Site Scripting. In the result we can see that our HTML payload got triggered in the preview page as expected. Preview page ? The public page : HTML is allowed here. If it's admin page : please screenshot Capture d’écran du 2024-01-18 09-25-17.png (11,448 bytes) Capture d’écran du 2024-01-18 09-25-17.png (11,448 bytes)

DenisChenu 2024-01-18 09:40 developer ~79201	Still : public page : HTML is allowed here. If it's admin page : please screenshot (or name of page)

DenisChenu 2024-01-18 09:46 developer ~79205	HTML should not be allowed in the title: Why ? No reason to disallow it And yes : reading the POC : talk of XSS and aother adding scripot. But don't care to HTML inside title. If you can insert html in text: why not in title.

DenisChenu 2024-01-18 09:47 developer ~79206	@ tibor.pacalat : i close this issue. HTML is allowed in title, only script are disallowed for simple user (by default)

DenisChenu 2024-01-18 10:03 developer ~79209	Set as public : no need to be in private

tibor.pacalat 2024-01-18 10:29 administrator ~79212	I agree @DenisChenu.

Date Modified	Username	Field	Change
2024-01-18 08:51	saimson1	New Issue
2024-01-18 08:51	saimson1	File Added: Lime Survey Web Application Penetration Testing - Issue Log 001.xlsx
2024-01-18 09:13	DenisChenu	Status	new => feedback
2024-01-18 09:13	DenisChenu	Note Added: 79197
2024-01-18 09:13	DenisChenu	Bug heat	256 => 258
2024-01-18 09:14	DenisChenu	Note Edited: 79197
2024-01-18 09:22	saimson1	Bug heat	258 => 260
2024-01-18 09:22	saimson1	Status	feedback => new
2024-01-18 09:26	DenisChenu	Note Added: 79199
2024-01-18 09:26	DenisChenu	File Added: Capture d’écran du 2024-01-18 09-25-17.png
2024-01-18 09:40	DenisChenu	Note Added: 79201
2024-01-18 09:46	DenisChenu	Note Added: 79205
2024-01-18 09:47	DenisChenu	Assigned To	=> DenisChenu
2024-01-18 09:47	DenisChenu	Status	new => closed
2024-01-18 09:47	DenisChenu	Resolution	open => no change required
2024-01-18 09:47	DenisChenu	Note Added: 79206
2024-01-18 09:47	DenisChenu	Severity	feature => text
2024-01-18 10:02	DenisChenu	View Status	private => public
2024-01-18 10:02	DenisChenu	Additional Information Updated
2024-01-18 10:02	DenisChenu	Bug heat	260 => 254
2024-01-18 10:03	DenisChenu	Note Added: 79209
2024-01-18 10:29	tibor.pacalat	Note Added: 79212
2024-01-18 10:29	tibor.pacalat	Bug heat	254 => 256

View Issue Details

Steps to reproduce

Expected result

Actual result

Users monitoring this issue

Activities

Issue History