View Issue Details

This bug affects 1 person(s).
IDProjectCategoryView StatusLast Update
06543Bug reportsSecuritypublic2012-09-09 15:34
Reporteruser21570Assigned Tojcleeland  
Status closedResolutionfixed 
Product Version1.92+ 
Fixed in Version1.92+ 
Summary06543: SQL injection in activate_functions.php - parameter "sid"

The parameter "sid" of the "activate survey" request is vulnerable to
sql injection attacks.

File: $LIMESURVEY/admin/activate_functions.php
Line: 152
Request: http://limesurvey/admin/admin.php?action=activate&sid=1 OR 1=1

The same bug seems to be in the function "surveyCheckStructure" but
this functions doens't seem to be used currently.

File: $LIMESURVEY/admin/surveytable_functions.php
Line: 215

Steps To Reproduce

1) Log in as admin
2) http://limesurvey/admin/admin.php?action=activate&sid=1 OR 1=1

Additional Information

Discovered by Markus Piéton (it.sec GmbH & Co. KG)

TagsNo tags attached.
Attached Files
sql-injection-sid.pdf (480,116 bytes)
Bug heat256
Complete LimeSurvey version number (& build)120822
I will donate to the project if issue is resolvedNo
Database type & versionMySQL
Server OS (if known)Linux
Webserver software & version (if known)Apache
PHP VersionPHP/5.3.3

Users monitoring this issue





2012-09-06 15:21

updater   ~20629

Hi Jason,
I'm assigning some bug reports about some possible vulnerabilities to you because Carsten is on Holiday and will not return before Saturday (and will probably need 3-4 days to clean up his email inbox).

Maybe you can have a look and fix it or add a comment and assign it to Carsten if he should have a look later.



2012-09-08 00:48

reporter   ~20641

Fix committed to master branch:

Related Changesets

LimeSurvey: master 06b14cbf

2012-09-07 15:47:47


Details Diff
Fixed issue 06543 - SQL injection in activate_functions.php - parameter "sid". Found and replaced series of _GET['sid'] statements with the cleaned $surveyid parameter. Affected Issues
mod - admin/activate_functions.php Diff File
mod - admin/surveytable_functions.php Diff File

Issue History

Date Modified Username Field Change
2012-09-04 18:58 user21570 New Issue
2012-09-04 18:58 user21570 File Added: sql-injection-sid.pdf
2012-09-06 15:21 Mazi Note Added: 20629
2012-09-06 15:21 Mazi Assigned To => jcleeland
2012-09-06 15:21 Mazi Status new => acknowledged
2012-09-06 15:22 Mazi Issue Monitored: c_schmitz
2012-09-08 00:48 jcleeland Changeset attached => LimeSurvey master 06b14cbf
2012-09-08 00:48 jcleeland Note Added: 20641
2012-09-08 00:48 jcleeland Resolution open => fixed
2012-09-08 00:49 jcleeland Status acknowledged => resolved
2012-09-08 00:49 jcleeland Fixed in Version => 1.92+
2012-09-09 15:34 c_schmitz Status resolved => closed
2021-08-03 01:03 guest Bug heat 254 => 256