-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2017-014
Product: LimeSurvey
Manufacturer: LimeSurvey GmbH
Affected Version(s): Version 2.63.1+170305
Tested Version(s): Version 2.63.1+170305
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2017-03-24
Solution Date: 2017-06-12
Public Disclosure: 2017-07-26
CVE Reference: Not yet assigned
Author of Advisory: Dr. Erlijn van Genuchten & Manuel Stotz (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
The aim of the LimeSurvey application is to support users setting up
surveys (see [1]). This Open Source product can be used for both offline
and online surveys.
The LimeSurvey application is vulnerable to Persistent Cross-Site
Scripting attacks.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
SySS GmbH identified that for example the file upload functionality in a
survey question and a user's full name are vulnerable to Persistent
Cross-Site Scripting.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
First, a survey that uses the file upload functionality can be misused
by a user. He/she can upload an image with an attack vector in the file
name, such as
.png
The JavaScript code is not only executed directly after selecting the
file but also when a survey administrator opens the overview that lists
the answers of this survey.
Second, under "Your account" -> "Full name", a user can enter an attack
vector such as
'>
This attack vector is executed in the survey permissions context.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
Upgrade LimeSurvey to Version 2.65.4 (build 170612) or later.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2017-03-09: Vulnerability discovered
2017-03-24: Vulnerability reported to manufacturer
2017-05-22: Vulnerability resolved in Version 2.65.4 (build 170612)
2017-07-26: Public release of security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product web site for LimeSurvey
https://www.limesurvey.org
[2] SySS Security Advisory SYSS-2017-014
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-014.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Dr. Erlijn van Genuchten and
Manuel Stotz of SySS GmbH.
E-Mail: erlijn.vangenuchten@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Erlijn_van_Genuchten.asc
Key ID: 0xBD96FF2A
Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A
E-Mail: manuel.stotz@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc
Key ID: 0xBCE68C6D
Key Fingerprint: F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJZcHAGAAoJEAylhje9lv8qTnUQAKaFI5ioQJ1fG53HRsb4cRC1
vvkKxlut5aeiAiArwsSXNTxfJAozU4gMXUWo0whEXaLlmKZuC58uo57OANE/vlRJ
4BkBvzcLaKHURI2nn7RMBc30t8Nh8OgVB0I7l4YtYaAPKFNmEtNzZ8cwFaxOmS44
dU24zpmXZWIuWvh9cGzQDZnPYWENmy7tgtglQsClTr0RlNhWxEoUPK819hQM9mub
Ox06k7PHxpG3tDkEmFLfJic+LJLSgI/VGnYRmNLCmZj08UM5zflBWYO+umOt6KtR
h1IqZO/eCcwYYWtL4ivZCwLHpWZrqDmqQbvShR06NGYn+Hk1pgE4ZLciGSUicxS3
PTNHtIZfEAp0XKsiXxYbK5tR4R100wD4Za3/jmeX71rtcldQSWK86XPq+AP3jc93
CBQAHrtQnu4BLJSfFjx+cALDR8tz9Y+GwXOzhVJcwjQcDIoRBM1iGkykC7kejppO
t4vSk5N66KbX1qHmIJ/45QTqIWm5BjCtGkvQwHY40bbtyfetUhwFL1IjgMfx83WY
7E/3i0V9C9K6B/vhsox/V/2ynSChMd4Oc6LmSOnhPLFSXC3GUw7djSGAItSNya6s
mSlkByKcdxdlO+fQ3TfuyLQhqgE+ZzY/4desf+WMd5WlMhWO38hvOEUSBebLOK6t
SoKE2fwVXkesjgAmfg7w
=6PWx
-----END PGP SIGNATURE-----