View Issue Details Jump to Notes ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
07105Bug reports[All Projects] Securitypublic2012-12-18 16:432013-01-02 21:30
Assigned Toc_schmitz 
Product Version2.00+ 
Target VersionFixed in Version2.00+ 
Summary07105: SQL Injection/Blind SQL Injection
DescriptionPOST/GET parameters are not being sanitized.

By setting the value of the parameter '553173X46X522' to 'A1%27+and+%27f%27%3D%27f' demonstrates it gets executed by the database engine (SQL Injection)

Here's the POST request made to the server with the altered parameter:
46X521=39& 553173X46X522=A1%27+and+%27f%27%3D%27f
Steps To ReproduceThe issue was found using ibm appscan enterprise edition. Can be reproduced by altering the POST request as stated above.
Additional InformationIn order to use limeSurvey in government approved projects the issue should be solved.
Complete LimeSurvey version number (& build)121127
I will donate to the project if issue is resolvedYes
Database & DB-VersionMySQL 5.5.25a-27.1-log Percona Server (GPL), Release rel27.1, Revision 277
Operating System (Server)CentOS release 6.3 (Final)
Webserver software & versionNginx
PHP Version5.3.8
Attached Files

- Relationships

-  Notes
Mazi (developer)
2012-12-18 17:10

Carsten, can you have a look at this one?

I'm not sure where this POST request is made, I would guess when storing survey field values at the DB.

josepablo can surely provide more details.
c_schmitz (administrator)
2012-12-19 16:21

I am sorry but I cannot reproduce it here. Can you provide the related survey as .lss file please?
c_schmitz (administrator)
2012-12-19 16:25

And what output do you actually get that shows that the sql injection worked?
josepablo (reporter)
2012-12-19 22:37

These are the steps that were taken to produce the SQL Injection:

Set the value of the parameter 'lastgroup' to '553173X461+having+1%3D1--'

Here's the output we got: (Please look in the body section of the output, column not found...)

HTTP/1.1 500 CDbException
Server: nginx
Date: Tue, 11 Dec 2012 14:41:33 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.18
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 11 Dec 2012 14:41:32 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
"-//W3C//DTD XHTML 1.0 Transitional//EN"
""> [^]
<html xmlns="" [^] xml:lang="en" lang="en">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>Internal Server Error</title>


<h1>Internal Server Error</h1>
<h2>CDbCommand failed to execute the SQL statement : SQLSTATE [42S22]: Column not found: 1054 Unknown column
'553173X461 having 1=1--time' in 'field list'</h2>

An internal error occurred while the Web server was processing your request.
Please contact the webmaster to report this problem.

Thank you.

<div class="version">
2012-12-11 09:41:33 </div>
c_schmitz (administrator)
2012-12-19 22:57

I am sorry but that's not an SQL injection - the only thing you can do with this is to create an error message - not elegant. But you won't be able to execute an arbitrary statement using this or create any other damage - because the (invalid) field name itself is properly quoted and you won't be able to break out of these quotes.

I admit this could be handled 'nicer' but in general it is low priority since it is not security relevant.

Anyway, thank you for bringing this to our attention. If you have another case to check please let me know.
c_schmitz (administrator)
2012-12-22 18:38

Fix committed to master branch: [^]
c_schmitz (administrator)
2012-12-22 19:09

Fix committed to 2.1 branch: [^]
c_schmitz (administrator)
2013-01-02 21:30

New version released.

- Related Changesets
LimeSurvey: master 0df3fdf8
Timestamp: 2012-12-22 17:38:03
Author: c_schmitz
Committer: c-schmitz
Details ] Diff ]
Fixed issue 07105: Bad error handling on invalid lastgroup POST
mod - application/libraries/Save.php Diff ] File ]
LimeSurvey: 2.1 9be3c860
Timestamp: 2012-12-22 17:38:03
Author: c_schmitz
Committer: c-schmitz
Details ] Diff ]
Fixed issue 07105: Bad error handling on invalid lastgroup POST
mod - application/libraries/Save.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2012-12-18 16:43 josepablo New Issue
2012-12-18 17:08 Mazi Assigned To => c_schmitz
2012-12-18 17:08 Mazi Status new => assigned
2012-12-18 17:10 Mazi Note Added: 23268
2012-12-19 16:21 c_schmitz Note Added: 23282
2012-12-19 16:25 c_schmitz Note Added: 23283
2012-12-19 22:37 josepablo Note Added: 23290
2012-12-19 22:57 c_schmitz Note Added: 23291
2012-12-19 22:57 c_schmitz Status assigned => feedback
2012-12-22 18:38 c_schmitz Status feedback => resolved
2012-12-22 18:38 c_schmitz Fixed in Version => 2.00+
2012-12-22 18:38 c_schmitz Resolution open => fixed
2012-12-22 18:38 c_schmitz Changeset attached => LimeSurvey master 0df3fdf8
2012-12-22 18:38 c_schmitz Note Added: 23354
2012-12-22 19:09 c_schmitz Changeset attached => LimeSurvey 2.1 9be3c860
2012-12-22 19:09 c_schmitz Note Added: 23363
2013-01-02 21:30 c_schmitz Note Added: 23408
2013-01-02 21:30 c_schmitz Status resolved => closed

Copyright © 2000 - 2016 MantisBT Team
Powered by Mantis Bugtracker