LimeSurvey Security Advisory 02/2018
LimeSurvey Security Advisory 02/2018
IMPORTANT: There has been a highly critical issue uncovered which allows an attacker to gain access to your Limesurvey installation and probably webspace.
Type of issue
The issue lets an attacker gain access to your LimeSurvey configuration file by using a vulnerability of the LimeSurvey Installer.
The vulnerability was uncovered by the NguyenVan Tien Thanh (@yeuchimse) from Viettel Cyber Security Center and we are very grateful for the responsible disclosure.
Affected LimeSurvey versions
This issue affects all LimeSurvey versions starting from 2.x.
Note: The LimeSurvey Professional hosting services are/were NOT affected.
Exploits in the Wild
There is currently no known exploit in the wild.
Advised solution
Update as soon as possible!
There are two possible ways to resolve this issue:
- The quick way: This way works for all versions: Delete the file /application/controller/InstallerController.php from your LimeSurvey directory. This file is not needed by LimeSurvey anymore after installation.
- The update way:
We prepared different update versions to keep the impact as small as possible:- If you are using 2.6.x LTS, use ComfortUpdate to update to 2.6.7 LTS.
- If you are using 2.7x.x, use ComfortUpdate to update to version 2.73.1 or download version 2.73.1 here.
- If you are using 3.x, use ComfortUpdate to version 3.4.2 or download 3.4.2 here.
Recommendations
We recommend to use one of the advised solutions as soon as possible. Though there are no known exploits in the wild, there might very well be some coming soon.