← Advisories

LimeSurvey v2.00+ (build 131107) Script Insertion And SQL Injection Vulnerability

Medium

Advisory ID

ZSL-2013-5161

Release Date

23 November 2013

Vendor

LimeSurvey Project Team - http://www.limesurvey.org

Affected Version

2.00+ build 131009, 2.00+ build 131022, 2.00+ build 131031, 2.00+ build 131107

CVE

N/A

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.4.2 (Win32), PHP 5.4.7, MySQL 5.5.25a

Summary

LimeSurvey (formerly PHPSurveyor) is a free and open source on-line survey application written in PHP based on a MySQL, PostgreSQL or MSSQL database, distributed under the GNU General Public License. As a web server-based software it enables users to develop and publish on-line surveys, and collect responses, without doing any programming.

Description

LimeSurvey suffers from a stored cross-site scripting and SQL Injection vulnerability. Input passed to the 'label_name' POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Input passed to the 'group_name' POST parameter is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Proof of Concept

limesurvey_sqlixss.txtTXT

Disclosure Timeline

19.11.2013Vulnerabilities discovered.

22.11.2013Vendor notified thru their bug tracking system with details.

22.11.2013Vendor confirms the issues, creating patch.

22.11.2013Vendor releases a fix (build 131122) to address these issues.

23.11.2013Coordinated public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://bugs.limesurvey.org/view.php?id=8398