Vendor Description
“LimeSurvey is the tool to use for your online surveys. Whether you are conducting simple questionnaires with just a couple of questions or advanced assessments with conditionals and quota management, LimeSurvey has got you covered. LimeSurvey is 100% open source and will always be transparently developed. We can help you reach your goals.”
Source: https://www.limesurvey.org
Business Recommendation
LimeSurvey suffered from a vulnerability due to improper input and output validation. By exploiting this vulnerability an attacker could:
- Attack other users of the web application with JavaScript code, browser exploits or Trojan horses, or
- perform unauthorized actions in the name of another logged-in user.
The vendor provides a patch which should be installed immediately. Furthermore, a thorough security analysis is highly recommended as only a short spot check has been performed and additional issues are to be expected.
Vulnerability Overview/Description
Stored and reflected XSS vulnerabilities
LimeSurvey suffers from a stored and reflected cross-site scripting vulnerability, which allows an attacker to execute JavaScript code with the permissions of the victim. In this way it is possible to escalate privileges from a low-privileged account e.g. to “SuperAdmin”.
Proof Of Concept
Stored and reflected XSS vulnerabilities
Example 1 – Stored XSS (CVE-2019-16172):
The attacker needs the appropriate permissions in order to create new survey groups. Then create a survey group with a JavaScript payload in the title, for example:
test<svg/onload=alert(document.cookie)>
When the survey group is being deleted, e.g. by an administrative user, the JavaScript code will be executed as part of the “success” message.
Example 2 – Reflected XSS (CVE-2019-16173):
The following proof of concept prints the current CSRF token cookie which contains the CSRF token. The parameter “surveyid” is not filtered properly:
$host/index.php/admin/survey src=x%20onerror=%22alert(document.cookie)%22%3E&sa=listquestions&sort=question
If the URL schema is configured differently the following payload works:
$host/index.php= xxx"><img%20src=x%20onerror="alert(document.cookie)">&sa=listquestions&sort=question
Vulnerable / Tested Versions:
The vulnerabilities have been verified to exist in version 3.17.9 and the latest version 3.17.13. It is assumed that older versions are affected as well.