View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 256
IDProjectCategoryView StatusDate SubmittedLast Update
07105Bug reportsSecuritypublic2012-12-18 16:432013-01-02 21:30
Reporterjosepablo Assigned Toc_schmitz  
PriorityhighSeveritypartial_block 
Status closedResolutionfixed 
Product Version2.00+ 
Fixed in Version2.00+ 
Summary07105: SQL Injection/Blind SQL Injection
Description

POST/GET parameters are not being sanitized.

By setting the value of the parameter '553173X46X522' to 'A1%27+and+%27f%27%3D%27f' demonstrates it gets executed by the database engine (SQL Injection)

Here's the POST request made to the server with the altered parameter:
fieldnames=553173X46X521%7C553173X46X522%7C553173X46X523SQ001%7C553173X46X523SQ002%7C553173X46X523SQ003%7C553173X
46X523SQ004%7C553173X46X523SQ005%7C553173X46X523SQ006%7C553173X46X523SQ007%7C553173X46X531%7C553173X46X532%7C5531
73X46X536%7C553173X46X537%7C553173X46X538%7C553173X46X539%7C553173X46X540%7C553173X46X541%7C553173X46X542&553173X
46X521=39& 553173X46X522=A1%27+and+%27f%27%3D%27f
&java553173X46X522=A1&MULTI553173X46X523=7&553173X46X523SQ001=Y&java553173X46X523SQ001=&553173X46X523SQ002=Y&java
553173X46X523SQ002=&553173X46X523SQ003=Y&java553173X46X523SQ003=Y&553173X46X523SQ004=Y&java553173X46X523SQ004=&55
3173X46X523SQ005=Y&java553173X46X523SQ005=&553173X46X523SQ006=Y&java553173X46X523SQ006=&553173X46X523SQ007=Y&java
553173X46X523SQ007=&553173X46X531=30134&553173X46X532=&java553173X46X532=&553173X46X536=&java553173X46X536=&55317
3X46X537=&java553173X46X537=&553173X46X538=&java553173X46X538=&553173X46X539=&java553173X46X539=&553173X46X540=&j
ava553173X46X540=&553173X46X541=&java553173X46X541=&553173X46X542=&java553173X46X542=&lastgroup=553173X46&relevan
ce521=1&relevance522=1&relevance523=1&relevance531=1&relevance532=0&relevance536=0&relevance537=0&relevance538=0&
relevance539=0&relevance540=0&relevance541=0&relevance542=

Steps To Reproduce

The issue was found using ibm appscan enterprise edition. Can be reproduced by altering the POST request as stated above.

Additional Information

In order to use limeSurvey in government approved projects the issue should be solved.

TagsNo tags attached.
Bug heat256
Complete LimeSurvey version number (& build)121127
I will donate to the project if issue is resolvedYes
BrowserAll
Database type & versionMySQL 5.5.25a-27.1-log Percona Server (GPL), Release rel27.1, Revision 277
Server OS (if known)CentOS release 6.3 (Final)
Webserver software & version (if known)Nginx
PHP Version5.3.8

Users monitoring this issue

There are no users monitoring this issue.

Activities

Mazi

Mazi

2012-12-18 17:10

updater   ~23268

Carsten, can you have a look at this one?

I'm not sure where this POST request is made, I would guess when storing survey field values at the DB.

josepablo can surely provide more details.
c_schmitz

c_schmitz

2012-12-19 16:21

administrator   ~23282

I am sorry but I cannot reproduce it here. Can you provide the related survey as .lss file please?
c_schmitz

c_schmitz

2012-12-19 16:25

administrator   ~23283

And what output do you actually get that shows that the sql injection worked?
josepablo

josepablo

2012-12-19 22:37

reporter   ~23290

These are the steps that were taken to produce the SQL Injection:

Set the value of the parameter 'lastgroup' to '553173X461+having+1%3D1--'

Here's the output we got: (Please look in the body section of the output, column not found...)

HTTP/1.1 500 CDbException
Server: nginx
Date: Tue, 11 Dec 2012 14:41:33 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.18
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 11 Dec 2012 14:41:32 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd&quot;>
<html xmlns="http://www.w3.org/1999/xhtml&quot; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>Internal Server Error</title>

....

<body>
<h1>Internal Server Error</h1>
<h2>CDbCommand failed to execute the SQL statement : SQLSTATE [42S22]: Column not found: 1054 Unknown column
'553173X461 having 1=1--time' in 'field list'</h2>
<p>
An internal error occurred while the Web server was processing your request.
Please contact the webmaster to report this problem.
</p>
<p>
Thank you.
</p>
<div class="version">
2012-12-11 09:41:33 </div>
</body>
</html>
c_schmitz

c_schmitz

2012-12-19 22:57

administrator   ~23291

I am sorry but that's not an SQL injection - the only thing you can do with this is to create an error message - not elegant. But you won't be able to execute an arbitrary statement using this or create any other damage - because the (invalid) field name itself is properly quoted and you won't be able to break out of these quotes.

I admit this could be handled 'nicer' but in general it is low priority since it is not security relevant.

Anyway, thank you for bringing this to our attention. If you have another case to check please let me know.
c_schmitz

c_schmitz

2012-12-22 18:38

administrator   ~23354

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&amp;id=10997
c_schmitz

c_schmitz

2012-12-22 19:09

administrator   ~23363

Fix committed to 2.1 branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&amp;id=11006
c_schmitz

c_schmitz

2013-01-02 21:30

administrator   ~23408

New version released.

Related Changesets

LimeSurvey: master 0df3fdf8

2012-12-22 17:38:03

c_schmitz

Details Diff 		Fixed issue 07105: Bad error handling on invalid lastgroup POST Affected Issues
07105
mod - application/libraries/Save.php Diff File

LimeSurvey: 2.1 9be3c860

2012-12-22 17:38:03

c_schmitz

Details Diff 		Fixed issue 07105: Bad error handling on invalid lastgroup POST Affected Issues
07105
mod - application/libraries/Save.php Diff File

Issue History

Date Modified Username Field Change
2012-12-18 16:43 josepablo New Issue
2012-12-18 17:08 Mazi Assigned To => c_schmitz
2012-12-18 17:08 Mazi Status new => assigned
2012-12-18 17:10 Mazi Note Added: 23268
2012-12-19 16:21 c_schmitz Note Added: 23282
2012-12-19 16:25 c_schmitz Note Added: 23283
2012-12-19 22:37 josepablo Note Added: 23290
2012-12-19 22:57 c_schmitz Note Added: 23291
2012-12-19 22:57 c_schmitz Status assigned => feedback
2012-12-22 18:38 c_schmitz Status feedback => resolved
2012-12-22 18:38 c_schmitz Fixed in Version => 2.00+
2012-12-22 18:38 c_schmitz Resolution open => fixed
2012-12-22 18:38 c_schmitz Changeset attached => LimeSurvey master 0df3fdf8
2012-12-22 18:38 c_schmitz Note Added: 23354
2012-12-22 19:09 c_schmitz Changeset attached => LimeSurvey 2.1 9be3c860
2012-12-22 19:09 c_schmitz Note Added: 23363
2013-01-02 21:30 c_schmitz Note Added: 23408
2013-01-02 21:30 c_schmitz Status resolved => closed