Stored and reflected XSS vulnerabilities in LimeSurvey (CVE-2019-16172, CVE-2019-16173)

Project Description

XSS vulnerabilities within LimeSurvey enable an attacker to perform unauthorized actions in the name of another logged-in user, and attack other users of the web application with JavaScript code, browser exploits or Trojan horses.


Vendor description

“LimeSurvey is the tool to use for your online surveys. Whether you are conducting simple questionnaires with just a couple of questions or advanced assessments with conditionals and quota management, LimeSurvey has got you covered. LimeSurvey is 100% open source and will always be transparently developed. We can help you reach your goals.”

Source: https://www.limesurvey.org

Business recommendation

LimeSurvey suffered from a vulnerability due to improper input and output validation. By exploiting this vulnerability an attacker could:

  1. Attack other users of the web application with JavaScript code, browser exploits or Trojan horses, or
  2. perform unauthorized actions in the name of another logged-in user.

The vendor provides a patch which should be installed immediately. Furthermore, a thorough security analysis is highly recommended as only a short spot check has been performed and additional issues are to be expected.

 

Vulnerability overview/description

Stored and reflected XSS vulnerabilities

LimeSurvey suffers from a stored and reflected cross-site scripting vulnerability, which allows an attacker to execute JavaScript code with the permissions of the victim. In this way it is possible to escalate privileges from a low-privileged account e.g. to “SuperAdmin”.

 

Proof of concept

Stored and reflected XSS vulnerabilities

Example 1 – Stored XSS (CVE-2019-16172):

The attacker needs the appropriate permissions in order to create new survey groups. Then create a survey group with a JavaScript payload in the title, for example:

test<svg/onload=alert(document.cookie)>

When the survey group is being deleted, e.g. by an administrative user, the JavaScript code will be executed as part of the “success” message.

Example 2 – Reflected XSS (CVE-2019-16173):

The following proof of concept prints the current CSRF token cookie which contains the CSRF token. The parameter “surveyid” is not filtered properly:

http://$host/index.php/admin/survey?mandatory=1&sid=xxx&surveyid=xxx%22%3E%3Cimg%20 src=x%20onerror=%22alert(document.cookie)%22%3E&sa=listquestions&sort=question

If the URL schema is configured differently the following payload works:

http://$host/index.php?r=admin/survey&mandatory=1&sid=xxx&surveyid= xxx"><img%20src=x%20onerror="alert(document.cookie)">&sa=listquestions&sort=question

Vulnerable / tested versions:

The vulnerabilities have been verified to exist in version 3.17.9 and the latest version 3.17.13. It is assumed that older versions are affected as well.

Vendor contact timeline

2019-08-29Contacting vendor through https://bugs.limesurvey.org/view.php?id=15204
2019-09-02Fixes available (see solution)
2019-09-02Release of LimeSurvey v3.17.14 which fixes the security issues
2019-09-03Release of LimeSurvey v3.17.15 bug fix
2019-09-12Coordinated release of security advisorySolution

Solution

Update to version 3.17.15 or higher: https://www.limesurvey.org/stable-release

Fixes provided by the vendor:

https://github.com/LimeSurvey/LimeSurvey/commit/32d6a5224327b246ee3a2a08500544e4f80f9a9a
https://github.com/LimeSurvey/LimeSurvey/commit/f1c1ad2d24eb262363511fcca2e96ce737064006

The vendor provides a detailed list of changes here:

https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released

Workaround

No workaround available.

 

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF Andreas Kolbeck / @2019

 

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult?
Contact our local offices.

Project Details

  • TitleStored and reflected XSS vulnerabilities
  • ProductLimeSurvey
  • Vulnerable version<= 3.17.13
  • Fixed version=>3.17.14
  • CVE numberCVE-2019-16172, CVE-2019-16173
  • ImpactMedium
  • Homepagehttps://www.limesurvey.org/
  • Found2019-08-23
  • ByAndreas Kolbeck (Office Munich) | Haintz (Office Vienna) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back