-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2017-014 Product: LimeSurvey Manufacturer: LimeSurvey GmbH Affected Version(s): Version 2.63.1+170305 Tested Version(s): Version 2.63.1+170305 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2017-03-24 Solution Date: 2017-06-12 Public Disclosure: 2017-07-26 CVE Reference: Not yet assigned Author of Advisory: Dr. Erlijn van Genuchten & Manuel Stotz (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The aim of the LimeSurvey application is to support users setting up surveys (see [1]). This Open Source product can be used for both offline and online surveys. The LimeSurvey application is vulnerable to Persistent Cross-Site Scripting attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SySS GmbH identified that for example the file upload functionality in a survey question and a user's full name are vulnerable to Persistent Cross-Site Scripting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): First, a survey that uses the file upload functionality can be misused by a user. He/she can upload an image with an attack vector in the file name, such as .png The JavaScript code is not only executed directly after selecting the file but also when a survey administrator opens the overview that lists the answers of this survey. Second, under "Your account" -> "Full name", a user can enter an attack vector such as '> This attack vector is executed in the survey permissions context. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Upgrade LimeSurvey to Version 2.65.4 (build 170612) or later. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2017-03-09: Vulnerability discovered 2017-03-24: Vulnerability reported to manufacturer 2017-05-22: Vulnerability resolved in Version 2.65.4 (build 170612) 2017-07-26: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product web site for LimeSurvey https://www.limesurvey.org [2] SySS Security Advisory SYSS-2017-014 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-014.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Erlijn van Genuchten and Manuel Stotz of SySS GmbH. E-Mail: erlijn.vangenuchten@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Erlijn_van_Genuchten.asc Key ID: 0xBD96FF2A Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A E-Mail: manuel.stotz@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc Key ID: 0xBCE68C6D Key Fingerprint: F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJZcHAGAAoJEAylhje9lv8qTnUQAKaFI5ioQJ1fG53HRsb4cRC1 vvkKxlut5aeiAiArwsSXNTxfJAozU4gMXUWo0whEXaLlmKZuC58uo57OANE/vlRJ 4BkBvzcLaKHURI2nn7RMBc30t8Nh8OgVB0I7l4YtYaAPKFNmEtNzZ8cwFaxOmS44 dU24zpmXZWIuWvh9cGzQDZnPYWENmy7tgtglQsClTr0RlNhWxEoUPK819hQM9mub Ox06k7PHxpG3tDkEmFLfJic+LJLSgI/VGnYRmNLCmZj08UM5zflBWYO+umOt6KtR h1IqZO/eCcwYYWtL4ivZCwLHpWZrqDmqQbvShR06NGYn+Hk1pgE4ZLciGSUicxS3 PTNHtIZfEAp0XKsiXxYbK5tR4R100wD4Za3/jmeX71rtcldQSWK86XPq+AP3jc93 CBQAHrtQnu4BLJSfFjx+cALDR8tz9Y+GwXOzhVJcwjQcDIoRBM1iGkykC7kejppO t4vSk5N66KbX1qHmIJ/45QTqIWm5BjCtGkvQwHY40bbtyfetUhwFL1IjgMfx83WY 7E/3i0V9C9K6B/vhsox/V/2ynSChMd4Oc6LmSOnhPLFSXC3GUw7djSGAItSNya6s mSlkByKcdxdlO+fQ3TfuyLQhqgE+ZzY/4desf+WMd5WlMhWO38hvOEUSBebLOK6t SoKE2fwVXkesjgAmfg7w =6PWx -----END PGP SIGNATURE-----