Full Disclosure mailing list archives

By Date By Thread SEC Consult SA-20151022-0 :: Lime Survey Multiple Critical Vulnerabilities From: SEC Consult Vulnerability Lab <research () sec-consult com>

Date: Thu, 22 Oct 2015 17:28:13 +0200

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory < 20151022-0 > ======================================================================= title: Multiple critical vulnerabilities product: Lime Survey vulnerable version: 2.05 up to 2.06+ Build 151014 fixed version: 2.06+ Build 151016 CVE number: impact: critical homepage: https://www.limesurvey.org/ found: 2015-10-12 by: P. Morimoto (Office Bangkok) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich - Bangkok https://www.sec-consult.com ======================================================================= Vendor description: - ------------------- Lime Survey allows users to quickly create intuitive, powerful, online question-and-answer surveys that can work for tens to thousands of participants without much effort. The survey software itself is self-guiding for the respondents who are participating. Lime Survey has surpassed 1,500,000 downloads and is used by a huge number of private persons, big companies, academic facilities and governmental institutions around the world. URL: https://www.limesurvey.org/en/about-limesurvey/references Business recommendation: - ------------------------ By combining the vulnerabilities documented in this advisory, unauthenticated remote attackers can completely compromise Lime Survey application server. - - Arbitrary local files can be downloaded - - Entire Lime Survey database can be accessed - - Arbitrary PHP code can be executed SEC Consult recommends not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: - ----------------------------------- Due to the lack of function level access control many administrative functions in Lime Survey can be accessed by remote attackers without prior authentication. Moreover, the application did not validate some of user input properly. Unauthenticated attackers can pass specially crafted data to the entry points result in following vulnerabilities. 1. Unauthenticated local file disclosure An attacker can craft a malicious PHP serialized string containing a list of arbitrary files. This list can be sent to the Lime Survey backup feature for downloading without prior authentication. Any files accessible with the privileges of the web server user can be downloaded. 2. Unauthenticated database dump An attacker can request the database backup feature without authentication. The whole Lime Survey database can be downloaded including username and hashed password of the administrator account. 3. Unauthenticated arbitrary remote code execution An attacker can inject arbitrary PHP code into the application source code allowing to plant a malicious web backdoor to access underlying web server. 4. Multiple reflective cross-site scripting The application is prone to multiple reflective cross-site scripting vulnerabilities. Proof of concept: - ----------------- The vendor kindly asked SEC Consult to give people enough time to update their installations. Because of the high risk vulnerabilities, the proof of concept section has been removed from this advisory. Vulnerable / tested versions: - ----------------------------- The vulnerabilities have been tested on 2.06+ Build 150930 At least the following versions have been identified to be vulnerable: Version 2.05 Build 150413 up to 2.06+ Build 151014 Vendor contact timeline: - ------------------------ 2015-10-15: Contacting vendor through Lime Survey bug tracking system 2015-10-15: Vendor acknowledges existence of the vulnerabilities 2015-10-15: Urgent workaround is committed to Lime Survey's code repository 2015-10-16: Vendor asks for giving 6 weeks before disclosing the advisory 2015-10-16: Vendor releases Lime Survey 2.06+ Build 151016 with issues fixed 2015-10-22: SEC Consult releases security advisory without PoC Solution: - --------- Immediately upgrade to Lime Survey 2.06+ Build 151016 or later. https://www.limesurvey.org/en/blog/76-limesurvey-news/security-advisories/1836-limesurvey-security-advisory-10-2015 Workaround: - ----------- No workaround available. Advisory URL: - ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich - Bangkok About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Pichaya Morimoto / @2015 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQIcBAEBAgAGBQJWKQCNAAoJEC0t17XG7og/SbgP/isYBJWMltq2rNZe2aj2Rl4U FnKYjW5c82JNJE0SPXRiAX9Focpdf7ZEmmL0E+gObLPncqsAtghJxcQ1A7h2xygm fBEo6VJ7CKJTXgjmJGXpdMTDptC4Gb6E7FLKaqq/pOaUV4npl5XoSn1d9Q26KqIP hRNiwl5kgKnfdORrnqQqNBYUK0Pj5diC+AqiaONU3td8mcrQZb0K32Z4K3Kpvuni m4yQp6lAbQDXA8J48bLAMdo6GuB7Y7gyKLMwnt9Rf2879QlSCaOktmTiW6mP8sxr rNBotuwo6T6Dkyvja6W1xG0G7/pLOHKBWB6tUd9CyHEdsKr6uBEBN6dLJ41Brf7o IoZPBK7pfdmlNnw5ZHUMxJJlIAza0Hrv0Vt7mwLRMWawJKDUzGtlTjG8tnSi1yJ5 ZZlHwDukXXPWfEjjEsRUSayRa9M6WMIbZipExvQn6bCuEalKar4T5LucF44jTKic 9Gj0s6UeWIk3HgGjo6X54wryudlUjOIrubb1bPSgluq9MCnnwOg6zbh+mibkyONW emZdkAC+cOiCn3Ypppnr1m+BroQA1JeoZHWLrFbmlf+Ms7hhyRktiMAuFe/hxzDo zJfh+P4tPj9kSMojvugtOEi1q5RGUTVyy+R0bHZUYS+L6qshpGYZwQ10JePHeHPc 6satId8EWVBs0UpP2oJ8 =8pme -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: SEC Consult SA-20151022-0 :: Lime Survey Multiple Critical Vulnerabilities SEC Consult Vulnerability Lab (Oct 22)