-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2017-013 Product: LimeSurvey Manufacturer: LimeSurvey GmbH Affected Version(s): Version 2.63.1+170305, Version 2.64.0+170307 Tested Version(s): Version 2.63.1+170305, Version 2.64.0+170307 Vulnerability Type: Cross-Site Request Forgery (CWE-352) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2017-03-24 Solution Date: 2017-05-22 Public Disclosure: 2017-07-26 CVE Reference: Not yet assigned Author of Advisory: Dr. Erlijn van Genuchten & Manuel Stotz (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The aim of the LimeSurvey application is to support users setting up surveys (see [1]). This Open Source product can be used for both offline and online surveys. The LimeSurvey application is vulnerable to Cross-Site Request Forgery attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SySS GmbH identified that for example the "delete user" functionality is vulnerable to Cross-Site Request Forgery. When an authenticated user who is allowed to delete users clicks the correct link or visits a malicious site that exploits this vulnerability, he unknowingly deletes a user. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): By accessing the following link, the user with the corresponding user ID is deleted: https://[HOST]/index.php/admin/user/sa/deluser/action/deluser/uid/[USERID]/user/10 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Upgrade LimeSurvey to Version 2.65.1 (build 170522) or later. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2017-03-10: Vulnerability discovered 2017-03-24: Vulnerability reported to manufacturer 2017-05-22: Vulnerability resolved in Version 2.65.1 (build 170522) 2017-07-26: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product web site for LimeSurvey https://www.limesurvey.org [2] SySS Security Advisory SYSS-2017-013 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-013.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Erlijn van Genuchten and Manuel Stotz of SySS GmbH. E-Mail: erlijn.vangenuchten@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Erlijn_van_Genuchten.asc Key ID: 0xBD96FF2A Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A E-Mail: manuel.stotz@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc Key ID: 0xBCE68C6D Key Fingerprint: F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJZcG/RAAoJEAylhje9lv8qswUP/3TN6zRdTo28HbvVzj631ejh LBx2PFdJAFPDKj2aS5MEZidbsJlgGuCeDsJ5qdfAC33l3t2rWYOt3IqGvCeYgEAu GGguo04OyLSaXnu/EPKITVSxbV+5qdrWoy7Ix/G4bqoRCyEF1JscdpUijjBFmLET PPqLsHlWZH8nWWCHoJQP7kPlInsfdbILWioMR02ZbzJ+DY37pYcZwBXiomvisVBe cVtZ77rihHJEFVPNAFUAS5ReRo9gim23/c1M2pPZ1j5uit0B/nXYpYkO/XUQZl48 KKvfIGIP4vXBexdvzf1mHoNe/2lV8B8ws/h3cDLpgO71STePbge7oiooPi4h/IKf 1YJjCVz72WugpJ3uEh0Bp5UOXWsm1LAAH72jEa4X0rG+86iHkzuZliMWe9PSWNnJ 9+08IUFGdzg9v2GeMvYJE5oUBui3l3MzBBp61Mo97saEz9GPXRy0V4xPjOOZVhHt Kk6pRBXbx2nEdK3nwlyS+3psC9bkOxstYop5Tlm71Sh/cPrB4WXrCXAGQs6Wz+0+ /g7QLsXSUtI3VWpDs7p8e2Jd88t2riq1O6dtQnM3p/1xbXcDnNTtGDxjDTWnQOyc KMcqMaiNtwwA4IoaWwnGiS8djeWxB92S4lj1UUna/4LlhwNm5U5pS6I8iAR1Qr6w kTsnJ4iUfwRHqtEB8Kky =nCeo -----END PGP SIGNATURE-----