exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Sosci Survey 2.x Bypass / XSS / Command Execution

Sosci Survey 2.x Bypass / XSS / Command Execution
Posted Apr 17, 2013
Authored by V. Paulikas, T. Lazauninkas | Site sec-consult.com

Sosci Survey versions prior to 2.3.04a suffer from authorization issues, cross site scripting, and remote command execution vulnerabilities.

tags | exploit, remote, vulnerability, xss
SHA-256 | 2688b19fa954cb3f1486c7c46ca8d36690ad27229d60a36c584a5f2d3a45c7aa

Sosci Survey 2.x Bypass / XSS / Command Execution

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20130417-0 >
title: Multiple vulnerabilities in Sosci Survey
product: Sosci Survey
vulnerable version: <2.3.04a
fixed version: 2.3.04a
impact: Critical
homepage: https://www.soscisurvey.de
found: 2012-06-18
by: T. Lazauninkas, V. Paulikas
SEC Consult Vulnerability Lab

Vendor description:
SoSci Survey provides a non-comercial survey service, letting anyone to create and
share surveys for collecting data in a purpose of scientific research. It is a
flexible and efficient tool as it lets you to create a very customizable survey,
including active content (javascript) and PHP code.


Vulnerability overview/description:
1) Authorization Issues
The web application fails to validate authorization for
certain requests. This allows unauthorized users to access private messages
that belong to other users.

2) Cross-Site Scripting
The web application is prone to persistent and reflected Cross-Site Scripting
attacks. The vulnerability can be used to include HTML or JavaScript
code to the affected web page. The code is executed in the browser of
users if they visit the manipulated site. The vulnerability can be used
to change the contents of the displayed site, redirect to other sites
or steal user credentials. Additionally, Portal users are potential
victims of browser exploits and JavaScript Trojans.

3) Remote command execution
Due to insufficient input validation, the web application fails to properly
filter dangerous PHP code passed from the user side. This leads to OS command
execution with the privileges of the web server. By exploiting this
vulnerability, an attacker can read/write files, open connections, etc. posing
a critical security risk.

Proof of concept:

1) In the user profile, users are able to send and receive private messages to
each other. This also includes the administrative users. By modifying one of the
vulnerable script's parameters an attacker can read the messages of other users.
A proof of concept is provided below:


By iterating between the integer parameter's id value, an attacker is able to exploit
this vulnerability.

2) If an invalid id value is passed to the receiver.edit module, which is handled by
the index.php script, its contents is reflected to the user without proper filtering.
This leads to javascript execution in the web browser. This issue can be easily exploited
by navigating to the folowing URL:


An alert with the user's session cookie will be shown.

Persistent Cross-Site scripting was identified in the private messaging module. It was
discovered, that [subject, title, firstName, surname, content] parameters are
vulnerable to persistent Cross-Site scripting as they are saved and later shown
without proper filtering. A sample request is provided below:

POST /admin/index.php HTTP/1.1
Host: www.example.com

Many parameters are vulnerable to reflected Cross-Site Scripting vulnerabilities:


Referer (header)



3) When creating a new survey it is possible to include PHP code. Despite that the web
application is filtering most of the dangerous PHP functions, that would allow to execute OS
commands, it is still possible to execute arbitrary commands by using the provided code below:

print `id`;

The above code, when executed, prints out the system id of the current user. This could be further
exploited by an attacker for accessing the local file system, creating malicious files, opening
remote conections, etc.

Vulnerable / tested versions:
Pre-installed version of SoSci Survey, hosted on www.soscisurvey.de domain, was
tested. It was not possible to determine an exact version of the installed software.

Vendor contact timeline:
2013-01-29: Contacted vendor through info@soscisurvey.de
2013-01-29: Initial vendor response - issues will be verified
2013-03-29: Status request sent
2013-03-29: Vendor response: Security update 2.3.04a is available
2013-04-17: SEC Consult releases coordinated security advisory

Update to version 2.3.04a.


Advisory URL:

SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com

EOF T. Lazauninkas, V. Paulikas / @2013

Login or Register to add favorites

File Archive:

May 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    16 Files
  • 3
    May 3rd
    38 Files
  • 4
    May 4th
    15 Files
  • 5
    May 5th
    35 Files
  • 6
    May 6th
    0 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    8 Files
  • 9
    May 9th
    65 Files
  • 10
    May 10th
    19 Files
  • 11
    May 11th
    27 Files
  • 12
    May 12th
    8 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    1 Files
  • 15
    May 15th
    19 Files
  • 16
    May 16th
    66 Files
  • 17
    May 17th
    28 Files
  • 18
    May 18th
    32 Files
  • 19
    May 19th
    13 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    23 Files
  • 23
    May 23rd
    15 Files
  • 24
    May 24th
    49 Files
  • 25
    May 25th
    20 Files
  • 26
    May 26th
    13 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    11 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By