06543: SQL injection in activate_functions.php - parameter "sid"

This bug affects 1 person(s).

256

ID	Project	Category	View Status	Date Submitted	Last Update

06543	Bug reports	Security	public	2012-09-04 18:58	2012-09-09 15:34

Reporter	~~user21570~~	Assigned To	jcleeland
Priority	high	Severity	partial_block
Status	closed	Resolution	fixed
Product Version	1.92+
Fixed in Version	1.92+

Summary	06543: SQL injection in activate_functions.php - parameter "sid"
Description	The parameter "sid" of the "activate survey" request is vulnerable to sql injection attacks. File: $LIMESURVEY/admin/activate_functions.php Line: 152 Request: http://limesurvey/admin/admin.php?action=activate&sid=1 OR 1=1 The same bug seems to be in the function "surveyCheckStructure" but this functions doens't seem to be used currently. File: $LIMESURVEY/admin/surveytable_functions.php Line: 215
Steps To Reproduce	1) Log in as admin 2) http://limesurvey/admin/admin.php?action=activate&sid=1 OR 1=1
Additional Information	Discovered by Markus Piéton (it.sec GmbH & Co. KG)
Tags	No tags attached.
Attached Files	sql-injection-sid.pdf (480,116 bytes)

Bug heat	256
Complete LimeSurvey version number (& build)	120822
I will donate to the project if issue is resolved	No
Browser
Database type & version	MySQL
Server OS (if known)	Linux
Webserver software & version (if known)	Apache
PHP Version	PHP/5.3.3

User List	c_schmitz

Mazi 2012-09-06 15:21 updater ~20629	Hi Jason, I'm assigning some bug reports about some possible vulnerabilities to you because Carsten is on Holiday and will not return before Saturday (and will probably need 3-4 days to clean up his email inbox). Maybe you can have a look and fix it or add a comment and assign it to Carsten if he should have a look later.

jcleeland 2012-09-08 00:48 reporter ~20641	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=9450

LimeSurvey: master 06b14cbf 2012-09-07 15:47:47 jcleeland Details Diff	Fixed issue 06543 - SQL injection in activate_functions.php - parameter "sid". Found and replaced series of _GET['sid'] statements with the cleaned $surveyid parameter.	Affected Issues 06543
	mod - admin/activate_functions.php	Diff File
	mod - admin/surveytable_functions.php	Diff File

Date Modified	Username	Field	Change
2012-09-04 18:58	~~user21570~~	New Issue
2012-09-04 18:58	~~user21570~~	File Added: sql-injection-sid.pdf
2012-09-06 15:21	Mazi	Note Added: 20629
2012-09-06 15:21	Mazi	Assigned To	=> jcleeland
2012-09-06 15:21	Mazi	Status	new => acknowledged
2012-09-06 15:22	Mazi	Issue Monitored: c_schmitz
2012-09-08 00:48	jcleeland	Changeset attached	=> LimeSurvey master 06b14cbf
2012-09-08 00:48	jcleeland	Note Added: 20641
2012-09-08 00:48	jcleeland	Resolution	open => fixed
2012-09-08 00:49	jcleeland	Status	acknowledged => resolved
2012-09-08 00:49	jcleeland	Fixed in Version	=> 1.92+
2012-09-09 15:34	c_schmitz	Status	resolved => closed
2021-08-03 01:03	guest	Bug heat	254 => 256