This was published on the Mod_Survey mailing list a few minutes ago.


#########################################################
Mod_Survey Security Advisory 2004-03-21, Script injection
#########################################################


ABOUT MOD_SURVEY
----------------
Mod_Survey is an Apache module which displays and handles questionnaires
written in a special XML-based markup language. Mod_Survey is primarily
targeted towards Linux/Unix, but is also possible to run in Windows.


SUMMARY
-------
In all versions older than a 2004-03-21, it is possible for a remote 
evil person to submit script code (such as JavaScript) along with his
normal answers. This could, for example, be exploitable to get access
to the password cookie used by the administrator of the survey, and 
thereby read access to the submitted data.


ERROR CATEGORY
--------------
The error falls into the classes "Input Validation Error" and 
"Script Injecion". It is possible to exploit remotely.


VULNERABLE
----------
In stable (3.0.x) branch:

  All versions up to and including 3.0.16-pre1

In development (3.2.x) branch:

  All versions up to and including 3.2.0-pre3
  
Not vulnerable:

  3.0.16-pre2
  3.2.0-pre4


SOLUTION
--------
Users of the stable branch are encouraged to upgrade to 3.0.16-pre2. 
Users of the development branch are encourage to upgrade to 3.2.0-pre4
or to the current CVS version.


LONGER DISCUSSION
-----------------
Mod_Survey accepts arbitrary text-field type answers to be submitted by
a respondent. As the data backend usually does not care about what is 
actually contained in these answers, very few illegal characters have
been filtered out from being saved. This is in itself not a major 
problem.

However, when the administrator of the survey wants to download the
submitted data, he gets to choose between several different formats. One
of these is to download it as a HTML table. 

Previously, the data was pasted straigh into the HTML output without any
filtering or escaping. To illustrate the problem, let's assume that the
respondent answered that his name was:

  <script>alert('Hello there')</script>

..then the survey administrator would see an annoyingly displayed message
box every time he looked at the data through his browser.

The same approach would be valid for other export formats, such as the 
SQL export and the XML export. 

It has also been pointed out that a similar problem occurs in error 
messages about malformed query strings in Mod_Survey. The conceivable 
impact of this is limited, but the problem has been fixed as a part of 
this security update. Further, steps have been taken to add an extra 
layer of protection around the data backend. 

The problem has been addressed differently in the two major branches of
Mod_Survey. In the stable branch, illegal characters are now blocked
altogether. It will thus not be possible to submit characters like <, >,
$ and '. Since earlier other characters such as ;, " and & have been 
blocked. System administrators should be aware of this before upgrading
to the new version, as also legitimate uses of these characters are 
blocked. This could cause some irritation amongst respondents. One 
workaround if this becomes a problem is to set _SURVEY_PROTESTILLEGAL to
0, which will silently replace illegal characters with pipe signs rather
than whining at the respondent.

In the development branch, the solution has been to filter the output 
rather than the input. Thus, each data export now keeps track of which
characters to filter out or escape. Thus, for example, the HTML export
will silently replace all "<" with "<".


EXPLOIT
-------
A proof of concept of the script injection problem has been written and 
published by Niklas Deutschmann on the Mod_Survey mailing list. As this
involves no complicated coding and since anyone with some insight into
JavaScript immediately will understand how to exploit the flaw, there is
no reason to republish this exploit here. Please refer to the Mod_Survey
mailing list if you are interested.


IMPACT
------
Most surveys will be vulnerable to this. Surveys that only contain 
numerical input fields will not be affected. Nor will this be a problem
in closed-sample surveys where the respondents are known and trusted. 

In surveys where the administration part has been knowingly left open 
so that respondents can view answers anyway, this will merely be a 
minor annoyance. 

All in all the impact must be characterized as severe.


CREDITS
-------
The problem was first discovered and discussed by Niklas Deutschmann, 
who also wrote a proof of concept. BugAnt submitted the basic code for
solving the problem in the 3.2.x branch.

  // Joel