View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 256
IDProjectCategoryView StatusDate SubmittedLast Update
19364Bug reportsSecuritypublic2024-01-19 07:302024-01-22 08:32
Reportersaimson1 Assigned ToDenisChenu  
PrioritynoneSeveritytrivial 
Status closedResolutionunable to reproduce 
Product Version5.6.x 
Summary19364: Stored Cross-Site Scripting
Description

The Vulnerability Requires Immediate attention to mitigate the issue since admin account ,can be took over by eploiting this vulnerability by stealing the cookies and tokens.
Background:
Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application.
Stored XSS occurs when the user input is stored in the application and it gets executed every time any user triggers or vests the page.

The application has the functionality to change the survey admin email, where the logged in user can change the email.

Issue:
During the testing, I observed that the application does not validate the user-supplied input properly on the client and server side correctly however the application has the protection.

The "General Setting" functionality has the field "Administrator email address:" which allowed us to insert some of the special characters into its field. So by leveraging the issue we inserted malicious javascript payloads into the field, and it gets stored in the database. When the user save or reloads the page it gets executed.

For Instance, We were able to bypass the validation on both the client and server sides and injected the XSS payload in the field and it get executed upon saving and reloading the page.

Steps To Reproduce

Steps to reproduce

  1. Login into the application and visit to general setting.
  2. Insert the java script payload as mentioned below in the "Administrator email address:" field.

Payload : infosaim2497@gmail.com">s<svg onload=confirm(document.domain)>

Expected result

  1. The application should pop an alert with domain after clicking on save and reloading the page

Actual result

  1. I observed that the application is vulnerable to Stored Cross-Site Scripting the executed our inserted payload.

As a security researcher i would recommend developers for immediate attention on this vulnerability and fix it as soon as possible.

TagsNo tags attached.
Attached Files
1 the field and the payload.png (218,415 bytes)
final pop.png (218,452 bytes)
Bug heat256
Complete LimeSurvey version number (& build)LimeSurvey Community Edition Version 5.3.32+220817
I will donate to the project if issue is resolvedNo
BrowserFirefox
Database type & versionMysql
Server OS (if known)Linux
Webserver software & version (if known)
PHP VersionPHP

Relationships

Relationship GraphDependency Graph
related to 19365 assigned Incomprehensible message when an error occurs in the general parameters. 

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2024-01-19 10:20

developer   ~79226

I can not confirm the XSS on admin part on 5.6.49

Capture d’écran du 2024-01-19 10-18-03.png (43,923 bytes)   
Capture d’écran du 2024-01-19 10-18-03.png (43,923 bytes)   
DenisChenu

DenisChenu

2024-01-19 10:21

developer   ~79227

Neither in 6.X

Capture vidéo du 2024-01-19 10-20-42.webm (369,313 bytes)   
Capture vidéo du 2024-01-19 10-20-42.webm (369,313 bytes)   
DenisChenu

DenisChenu

2024-01-19 10:27

developer   ~79228

Please update to the latest version and check if the bug can still be reproduced. Thank you.
ollehar

ollehar

2024-01-19 10:34

administrator   ~79229

Thanks for checking, Denis. +1
ollehar

ollehar

2024-01-19 13:41

administrator   ~79244

Obviously we're not gonna fix any issues on an outdated version. Please contact your server admin and make sure to update your LimeSurvey installation.
DenisChenu

DenisChenu

2024-01-19 14:54

developer   ~79245

I'm utilizing this exact version of the limesurvey "Version 5.3.32+220817", attaching the version poc for the same.

Please update to the latest version (5.6.49) and check if the bug can still be reproduced. Thank you.
DenisChenu

DenisChenu

2024-01-19 17:08

developer   ~79247

Additionally, would like to highlight I'm not using superadmin account you can see the menu bar in the attached poc.

I confirm there are an issue here, i create a separate bug
DenisChenu

DenisChenu

2024-01-22 08:29

developer   ~79257

And I'm security researcher man I've no rights to configure and develop the application where I found.

It's fixed in 5.6.49 : same version number. Ask your client to update … we can not update for you …

Some other security fix done between 5.3.32 and 5.6.49
https://github.com/LimeSurvey/LimeSurvey/blob/b20260dba597f415a294208cf20fdf9208fe87d4/docs/release_notes.txt#L1119C15-L1119C23
https://github.com/LimeSurvey/LimeSurvey/blob/b20260dba597f415a294208cf20fdf9208fe87d4/docs/release_notes.txt#L1038
https://github.com/LimeSurvey/LimeSurvey/blob/b20260dba597f415a294208cf20fdf9208fe87d4/docs/release_notes.txt#L891
https://github.com/LimeSurvey/LimeSurvey/blob/b20260dba597f415a294208cf20fdf9208fe87d4/docs/release_notes.txt#L887
https://github.com/LimeSurvey/LimeSurvey/blob/b20260dba597f415a294208cf20fdf9208fe87d4/docs/release_notes.txt#L707

etc …

What's the I'd of the new assigned bug?

https://bugs.limesurvey.org/view.php?id=19368

Capture d’écran du 2024-01-22 08-28-15.png (325,183 bytes)

Issue History

Date Modified Username Field Change
2024-01-19 07:30 saimson1 New Issue
2024-01-19 07:30 saimson1 File Added: 1 the field and the payload.png
2024-01-19 07:30 saimson1 File Added: final pop.png
2024-01-19 10:20 DenisChenu Note Added: 79226
2024-01-19 10:20 DenisChenu File Added: Capture d’écran du 2024-01-19 10-18-03.png
2024-01-19 10:20 DenisChenu Bug heat 256 => 258
2024-01-19 10:21 DenisChenu Note Added: 79227
2024-01-19 10:21 DenisChenu File Added: Capture vidéo du 2024-01-19 10-20-42.webm
2024-01-19 10:27 DenisChenu Relationship added related to 19365
2024-01-19 10:27 DenisChenu Assigned To => DenisChenu
2024-01-19 10:27 DenisChenu Status new => feedback
2024-01-19 10:27 DenisChenu Note Added: 79228
2024-01-19 10:34 ollehar Note Added: 79229
2024-01-19 10:34 ollehar Bug heat 258 => 260
2024-01-19 12:24 saimson1 Bug heat 260 => 262
2024-01-19 12:24 saimson1 Status feedback => assigned
2024-01-19 13:41 ollehar Note Added: 79244
2024-01-19 13:41 ollehar Status assigned => closed
2024-01-19 13:41 ollehar Resolution open => won't fix
2024-01-19 14:54 DenisChenu Note Added: 79245
2024-01-19 17:04 DenisChenu Resolution won't fix => unable to reproduce
2024-01-19 17:08 DenisChenu Note Added: 79247
2024-01-22 08:29 DenisChenu Note Added: 79257
2024-01-22 08:29 DenisChenu File Added: Capture d’écran du 2024-01-22 08-28-15.png
2024-01-22 08:32 DenisChenu View Status private => public
2024-01-22 08:32 DenisChenu Bug heat 262 => 256