View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 256
IDProjectCategoryView StatusDate SubmittedLast Update
06546Bug reportsSecuritypublic2012-09-04 19:042012-09-09 15:34
Reporteruser21570Assigned Tojcleeland  
PrioritynormalSeveritypartial_block 
Status closedResolutionfixed 
Product Version1.92+ 
Fixed in Version1.92+ 
Summary06546: SQL injection in userrighthandling.php - parameter "ugid"
Description

The "ugid" parameter doesn't get sanitized before beeing used to
construct a SQL statement.

File: $LIMESURVEY/admin/userrighthandling.php
Line: 640
Request: http://limesurvey/admin/admin.php?action=editusergroup&ugid=1 OR 1=1

Steps To Reproduce

1) Log in as admin
2) http://limesurvey/admin/admin.php?action=editusergroup&ugid=1 OR 1=1

Additional Information

Discovered by Markus Piéton (it.sec GmbH & Co. KG)

TagsNo tags attached.
Attached Files
sql-injection-ugid.pdf (411,330 bytes)
Bug heat256
Complete LimeSurvey version number (& build)120822
I will donate to the project if issue is resolvedNo
Browser
Database type & versionMySQL
Server OS (if known)Linux
Webserver software & version (if known)Apache
PHP VersionPHP

Users monitoring this issue

c_schmitz

Activities

Mazi

Mazi

2012-09-06 15:23

updater   ~20632

Hi Jason,
I'm assigning some bug reports about some possible vulnerabilities to you because Carsten is on Holiday and will not return before Saturday (and will probably need 3-4 days to clean up his email inbox).

Maybe you can have a look and fix it or add a comment and assign it to Carsten if he should have a look later.
jcleeland

jcleeland

2012-09-08 01:27

reporter   ~20643

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=9451

Related Changesets

LimeSurvey: master cf84cb62

2012-09-07 18:26

jcleeland


Details Diff		 Fixed issue 06546 - SQL injection in userrighthandling.php - parameter "ugid" Affected Issues
06546
mod - admin/userrighthandling.php Diff File

Issue History

Date Modified Username Field Change
2012-09-04 19:04 user21570 New Issue
2012-09-04 19:04 user21570 File Added: sql-injection-ugid.pdf
2012-09-06 15:22 Mazi Assigned To => jcleeland
2012-09-06 15:22 Mazi Status new => assigned
2012-09-06 15:22 Mazi Issue Monitored: c_schmitz
2012-09-06 15:23 Mazi Note Added: 20632
2012-09-08 01:27 jcleeland Changeset attached => LimeSurvey master cf84cb62
2012-09-08 01:27 jcleeland Note Added: 20643
2012-09-08 01:27 jcleeland Resolution open => fixed
2012-09-08 01:28 jcleeland Status assigned => resolved
2012-09-08 01:28 jcleeland Fixed in Version => 1.92+
2012-09-09 15:34 c_schmitz Status resolved => closed
2021-08-02 20:51 guest Bug heat 254 => 256