LimeSurvey Security Advisory 02/2018

Written on 23 February 2018. Posted in General.

LimeSurvey Security Advisory 02/2018

IMPORTANT: There has been a highly critical issue uncovered which allows an attacker to gain access to your Limesurvey installation and probably webspace.

Type of issue

The issue lets an attacker gain access to your LimeSurvey configuration file by using a vulnerability of the LimeSurvey Installer.
The vulnerability was uncovered by the NguyenVan Tien Thanh (@yeuchimse) from Viettel Cyber Security Center and we are very grateful for the responsible disclosure.

Affected LimeSurvey versions

This issue affects all LimeSurvey versions starting from 2.x.
Note: The LimeSurvey Professional hosting services are/were NOT affected.

Exploits in the Wild

There is currently no known exploit in the wild.

Advised solution

Update as soon as possible!

There are two possible ways to resolve this issue:

The quick way: This way works for all versions: Delete the file /application/controller/InstallerController.php from your LimeSurvey directory. This file is not needed by LimeSurvey anymore after installation.
The update way:
We prepared different update versions to keep the impact as small as possible:
- If you are using 2.6.x LTS, use ComfortUpdate to update to 2.6.7 LTS.
- If you are using 2.7x.x, use ComfortUpdate to update to version 2.73.1 or download version 2.73.1 here.
- If you are using 3.x, use ComfortUpdate to version 3.4.2 or download 3.4.2 here.

Recommendations

We recommend to use one of the advised solutions as soon as possible. Though there are no known exploits in the wild, there might very well be some coming soon.