Информационная безопасность
[RU] switch to English

Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  [SECURITY] [DSA 3343-1] twig security update

  CVE-2015-6535: Stored XSS in YouTube Embed (WordPress plugin) allows admins to compromise super admins

  Jenkins 1.626 - Cross Site Request Forgery / Code Execution

  Dogma India dogmaindia CMS - Auth Bypass Vulnerability

From:SEC Consult Vulnerability Lab <research_(at)_sec-consult.com>
Date:26 октября 2015 г.
Subject:SEC Consult SA-20151022-0 :: Lime Survey Multiple Critical Vulnerabilities

SEC Consult Vulnerability Lab Security Advisory < 20151022-0 >
             title: Multiple critical vulnerabilities
           product: Lime Survey
vulnerable version: 2.05 up to 2.06+ Build 151014
     fixed version: 2.06+ Build 151016
        CVE number:
            impact: critical
          homepage: https://www.limesurvey.org/
             found: 2015-10-12
                by: P. Morimoto (Office Bangkok)
                    SEC Consult Vulnerability Lab

                    An integrated part of SEC Consult
                    Berlin - Frankfurt/Main - Montreal - Singapore
                    Vienna (HQ) - Vilnius - Zurich - Bangkok



Vendor description:
Lime Survey allows users to quickly create intuitive, powerful,
online question-and-answer surveys that can work for tens to thousands
of participants without much effort.  The survey software itself is
self-guiding for the respondents who are participating.
Lime Survey has surpassed 1,500,000 downloads and is used by a huge number of
private persons, big companies, academic facilities and governmental
institutions around the world.

URL: https://www.limesurvey.org/en/about-limesurvey/references

Business recommendation:
By combining the vulnerabilities documented in this advisory,
unauthenticated remote attackers can completely compromise Lime
Survey application server.

- Arbitrary local files can be downloaded
- Entire Lime Survey database can be accessed
- Arbitrary PHP code can be executed

SEC Consult recommends not to use this software until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.

Vulnerability overview/description:
Due to the lack of function level access control many administrative
functions in Lime Survey can be accessed by remote attackers without
prior authentication.

Moreover, the application did not validate some of user input properly.
Unauthenticated attackers can pass specially crafted data to the entry points
result in following vulnerabilities.

1. Unauthenticated local file disclosure
An attacker can craft a malicious PHP serialized string containing a list of
arbitrary files. This list can be sent to the Lime Survey backup feature
for downloading without prior authentication.

Any files accessible with the privileges of the web server user
can be downloaded.

2. Unauthenticated database dump
An attacker can request the database backup feature without authentication.
The whole Lime Survey database can be downloaded including username and
hashed password of the administrator account.

3. Unauthenticated arbitrary remote code execution
An attacker can inject arbitrary PHP code into the application source code
allowing to plant a malicious web backdoor to access underlying web server.

4. Multiple reflective cross-site scripting
The application is prone to multiple reflective cross-site scripting

Proof of concept:
The vendor kindly asked SEC Consult to give people enough time to update
their installations.

Because of the high risk vulnerabilities, the proof of concept
section has been removed from this advisory.

Vulnerable / tested versions:
The vulnerabilities have been tested on 2.06+ Build 150930
At least the following versions have been identified to be vulnerable:

Version 2.05 Build 150413 up to 2.06+ Build 151014

Vendor contact timeline:
2015-10-15: Contacting vendor through Lime Survey bug tracking system
2015-10-15: Vendor acknowledges existence of the vulnerabilities
2015-10-15: Urgent workaround is committed to Lime Survey's code repository
2015-10-16: Vendor asks for giving 6 weeks before disclosing the advisory
2015-10-16: Vendor releases Lime Survey 2.06+ Build 151016 with issues fixed
2015-10-22: SEC Consult releases security advisory without PoC

Immediately upgrade to Lime Survey 2.06+ Build 151016 or later.

No workaround available.

Advisory URL:


SEC Consult Vulnerability Lab

SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich - Bangkok

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Pichaya Morimoto / @2015

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород