Anonymous Login
2016-12-04 02:50 CET

View Issue Details Jump to Notes ] Related Changesets ]
IDProjectCategoryView StatusLast Update
07105Bug reports[All Projects] Securitypublic2013-01-02 21:30
Reporterjosepablo 
Assigned Toc_schmitz 
PriorityhighSeveritymajor 
StatusclosedResolutionfixed 
Product Version2.00+ 
Target VersionFixed in Version2.00+ 
Summary07105: SQL Injection/Blind SQL Injection
DescriptionPOST/GET parameters are not being sanitized.

By setting the value of the parameter '553173X46X522' to 'A1%27+and+%27f%27%3D%27f' demonstrates it gets executed by the database engine (SQL Injection)

Here's the POST request made to the server with the altered parameter:
fieldnames=553173X46X521%7C553173X46X522%7C553173X46X523SQ001%7C553173X46X523SQ002%7C553173X46X523SQ003%7C553173X
46X523SQ004%7C553173X46X523SQ005%7C553173X46X523SQ006%7C553173X46X523SQ007%7C553173X46X531%7C553173X46X532%7C5531
73X46X536%7C553173X46X537%7C553173X46X538%7C553173X46X539%7C553173X46X540%7C553173X46X541%7C553173X46X542&553173X
46X521=39& 553173X46X522=A1%27+and+%27f%27%3D%27f
&java553173X46X522=A1&MULTI553173X46X523=7&553173X46X523SQ001=Y&java553173X46X523SQ001=&553173X46X523SQ002=Y&java
553173X46X523SQ002=&553173X46X523SQ003=Y&java553173X46X523SQ003=Y&553173X46X523SQ004=Y&java553173X46X523SQ004=&55
3173X46X523SQ005=Y&java553173X46X523SQ005=&553173X46X523SQ006=Y&java553173X46X523SQ006=&553173X46X523SQ007=Y&java
553173X46X523SQ007=&553173X46X531=30134&553173X46X532=&java553173X46X532=&553173X46X536=&java553173X46X536=&55317
3X46X537=&java553173X46X537=&553173X46X538=&java553173X46X538=&553173X46X539=&java553173X46X539=&553173X46X540=&j
ava553173X46X540=&553173X46X541=&java553173X46X541=&553173X46X542=&java553173X46X542=&lastgroup=553173X46&relevan
ce521=1&relevance522=1&relevance523=1&relevance531=1&relevance532=0&relevance536=0&relevance537=0&relevance538=0&
relevance539=0&relevance540=0&relevance541=0&relevance542=
Steps To ReproduceThe issue was found using ibm appscan enterprise edition. Can be reproduced by altering the POST request as stated above.
Additional InformationIn order to use limeSurvey in government approved projects the issue should be solved.
TagsNo tags attached.
Complete LimeSurvey version number (& build)121127
I will donate to the project if issue is resolvedYes
BrowserAll
Database & DB-VersionMySQL 5.5.25a-27.1-log Percona Server (GPL), Release rel27.1, Revision 277
Operating System (Server)CentOS release 6.3 (Final)
Webserver software & versionNginx
PHP Version5.3.8
Attached Files

-Relationships
+Relationships

-Notes

~23268

Mazi (developer)

Carsten, can you have a look at this one?

I'm not sure where this POST request is made, I would guess when storing survey field values at the DB.

josepablo can surely provide more details.

~23282

c_schmitz (administrator)

I am sorry but I cannot reproduce it here. Can you provide the related survey as .lss file please?

~23283

c_schmitz (administrator)

And what output do you actually get that shows that the sql injection worked?

~23290

josepablo (reporter)

These are the steps that were taken to produce the SQL Injection:

Set the value of the parameter 'lastgroup' to '553173X461+having+1%3D1--'


Here's the output we got: (Please look in the body section of the output, column not found...)

HTTP/1.1 500 CDbException
Server: nginx
Date: Tue, 11 Dec 2012 14:41:33 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.18
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 11 Dec 2012 14:41:32 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>Internal Server Error</title>

....

<body>
<h1>Internal Server Error</h1>
<h2>CDbCommand failed to execute the SQL statement : SQLSTATE [42S22]: Column not found: 1054 Unknown column
'553173X461 having 1=1--time' in 'field list'</h2>


An internal error occurred while the Web server was processing your request.
Please contact the webmaster to report this problem.



Thank you.


<div class="version">
2012-12-11 09:41:33 </div>
</body>
</html>

~23291

c_schmitz (administrator)

I am sorry but that's not an SQL injection - the only thing you can do with this is to create an error message - not elegant. But you won't be able to execute an arbitrary statement using this or create any other damage - because the (invalid) field name itself is properly quoted and you won't be able to break out of these quotes.

I admit this could be handled 'nicer' but in general it is low priority since it is not security relevant.

Anyway, thank you for bringing this to our attention. If you have another case to check please let me know.

~23354

c_schmitz (administrator)

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=10997

~23363

c_schmitz (administrator)

Fix committed to 2.1 branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=11006

~23408

c_schmitz (administrator)

New version released.
+Notes

+Related Changesets

-Issue History
Date Modified Username Field Change
2012-12-18 16:43 josepablo New Issue
2012-12-18 17:08 Mazi Assigned To => c_schmitz
2012-12-18 17:08 Mazi Status new => assigned
2012-12-18 17:10 Mazi Note Added: 23268
2012-12-19 16:21 c_schmitz Note Added: 23282
2012-12-19 16:25 c_schmitz Note Added: 23283
2012-12-19 22:37 josepablo Note Added: 23290
2012-12-19 22:57 c_schmitz Note Added: 23291
2012-12-19 22:57 c_schmitz Status assigned => feedback
2012-12-22 18:38 c_schmitz Status feedback => resolved
2012-12-22 18:38 c_schmitz Fixed in Version => 2.00+
2012-12-22 18:38 c_schmitz Resolution open => fixed
2012-12-22 18:38 c_schmitz Changeset attached => LimeSurvey master 0df3fdf8
2012-12-22 18:38 c_schmitz Note Added: 23354
2012-12-22 19:09 c_schmitz Changeset attached => LimeSurvey 2.1 9be3c860
2012-12-22 19:09 c_schmitz Note Added: 23363
2013-01-02 21:30 c_schmitz Note Added: 23408
2013-01-02 21:30 c_schmitz Status resolved => closed
+Issue History