View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 254
IDProjectCategoryView StatusDate SubmittedLast Update
06545Bug reportsSecuritypublic2012-09-04 19:012012-09-09 15:34
Reporteruser21570Assigned Tojcleeland  
PrioritynormalSeveritypartial_block 
Status closedResolutionfixed 
Product Version1.92+ 
Fixed in Version1.92+ 
Summary06545: SQL injection in preview.php - parameter "lang"
Description

The "lang" parameter doesn't get sanitized before beeing used to
construct a SQL statement.

File: $LIMESURVEY/admin/preview.php
Line: 35, 45
Request: http://limesurvey/admin/admin.php?sid=123&action=previewquestion&qid=1&lang=de' OR 1=1

Steps To Reproduce

1) Log in as admin
2) http://limesurvey/admin/admin.php?sid=123&action=previewquestion&qid=1&lang=de' OR 1=1

Additional Information

Discovered by Markus Piéton (it.sec GmbH & Co. KG)

TagsNo tags attached.
Attached Files
sql-injection-lang.pdf (437,566 bytes)
Bug heat254
Complete LimeSurvey version number (& build)120822
I will donate to the project if issue is resolvedNo
Browser
Database type & versionMySQL
Server OS (if known)Linux
Webserver software & version (if known)Apache
PHP VersionPHP

Users monitoring this issue

There are no users monitoring this issue.

Activities

Mazi

Mazi

2012-09-06 15:22

updater   ~20631

Hi Jason,
I'm assigning some bug reports about some possible vulnerabilities to you because Carsten is on Holiday and will not return before Saturday (and will probably need 3-4 days to clean up his email inbox).

Maybe you can have a look and fix it or add a comment and assign it to Carsten if he should have a look later.
jcleeland

jcleeland

2012-09-08 01:32

reporter   ~20644

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=9452

Related Changesets

LimeSurvey: master baa739ce

2012-09-07 16:32:19

jcleeland

Details Diff 		Fixed issue 06545 - SQL injection in preview.php - parameter "lang". Sanitized language string. Affected Issues
06545
mod - admin/preview.php Diff File

Issue History

Date Modified Username Field Change
2012-09-04 19:01 user21570 New Issue
2012-09-04 19:01 user21570 File Added: sql-injection-lang.pdf
2012-09-06 15:22 Mazi Assigned To => jcleeland
2012-09-06 15:22 Mazi Status new => assigned
2012-09-06 15:22 Mazi Note Added: 20631
2012-09-08 01:32 jcleeland Changeset attached => LimeSurvey master baa739ce
2012-09-08 01:32 jcleeland Note Added: 20644
2012-09-08 01:32 jcleeland Resolution open => fixed
2012-09-08 01:33 jcleeland Status assigned => resolved
2012-09-08 01:33 jcleeland Fixed in Version => 1.92+
2012-09-09 15:34 c_schmitz Status resolved => closed