View Issue Details

This bug affects 1 person(s).
 258
IDProjectCategoryView StatusLast Update
06548Bug reportsSecuritypublic2012-09-26 09:05
Reporteruser21570Assigned Toc_schmitz  
PrioritynormalSeveritypartial_block 
Status closedResolutionfixed 
Product Version1.92+ 
Fixed in Version1.92+ 
Summary06548: XSS injection in the function to reload a saved survey
Description

The function to reload a saved survey is prone to XSS. At least
three parameters are vulnerable to XSS.

Vulnerable parameters: loadname, loadpass, scid

poc @ github: https://gist.github.com/3623601

Steps To Reproduce

poc @ github: https://gist.github.com/3623601

Additional Information

Discovered by Markus Piéton (it.sec GmbH & Co. KG)

TagsNo tags attached.
Attached Files
xss-reload-survey.pdf (199,645 bytes)
Bug heat258
Complete LimeSurvey version number (& build)120822
I will donate to the project if issue is resolvedNo
Browser
Database type & versionMySQL
Server OS (if known)Linux
Webserver software & version (if known)Apache
PHP VersionPHP

Users monitoring this issue

c_schmitz

Activities

Mazi

Mazi

2012-09-06 15:23

updater   ~20634

Hi Jason,
I'm assigning some bug reports about some possible vulnerabilities to you because Carsten is on Holiday and will not return before Saturday (and will probably need 3-4 days to clean up his email inbox).

Maybe you can have a look and fix it or add a comment and assign it to Carsten if he should have a look later.

jcleeland

jcleeland

2012-09-08 01:12

reporter   ~20642

Not entirely sure how to fix this one, referring it to Carsten. The cleaning of the string needs to happen in common_functions.php in the function returnglobal($stringname), there needs to be some function to clean $stringname=="loadpass' and $stringname=='loadname' from any attempted xss injection, but I don't know how this should be done.

The 'scid' parameter is not vulnerable to xss injection, in my opinion, because it is only ever tested to see whether it exists (see line 640 of index.php)

c_schmitz

c_schmitz

2012-09-13 14:35

administrator   ~20673

marpie_ I am sorry but I cannot reproduce this in build 120822. It is reproducable in 120815 but had been already fixed for 120822. Can you please confirm that?

c_schmitz

c_schmitz

2012-09-19 17:24

administrator   ~20731

Feedback please?

c_schmitz

c_schmitz

2012-09-26 09:05

administrator   ~20817

Closing due to missing feedback.

Issue History

Date Modified Username Field Change
2012-09-04 19:11 user21570 New Issue
2012-09-04 19:11 user21570 File Added: xss-reload-survey.pdf
2012-09-06 15:23 Mazi Assigned To => jcleeland
2012-09-06 15:23 Mazi Status new => assigned
2012-09-06 15:23 Mazi Issue Monitored: c_schmitz
2012-09-06 15:23 Mazi Note Added: 20634
2012-09-08 01:12 jcleeland Assigned To jcleeland => c_schmitz
2012-09-08 01:12 jcleeland Note Added: 20642
2012-09-13 14:35 c_schmitz Note Added: 20673
2012-09-13 14:35 c_schmitz Status assigned => feedback
2012-09-19 17:24 c_schmitz Note Added: 20731
2012-09-26 09:05 c_schmitz Note Added: 20817
2012-09-26 09:05 c_schmitz Status feedback => closed
2012-09-26 09:05 c_schmitz Resolution open => fixed
2012-09-26 09:05 c_schmitz Fixed in Version => 1.92+
2021-08-04 19:16 guest Bug heat 256 => 258