LimeSurvey Security Advisory 2008/06/22

Written on . Posted in Security.

For the last couple months the LimeSurvey project has done a lot of self-imposed security audits on the LimeSurvey code base. (Thank you to the Ubuntu Server team for pointing out first issues and giving us a head start.)
During this process several security issues have been fixed in the source code which include:

  • Issues where variable manipulation was possible when register_globals in PHP is activated
  • Session Data injection & manipulation
  • Permanent & non-permanent XSS-issues where an attacker could try to gain access by injecting own javacript code into the application
  • Session related issues where a possible attacker could take over the session and/or gain higher access privileges    

Most of these issue were already fixed for 1.71 stable. (Affected versions: 1.70+ (all builds) and older)

On top of that we fixed two moderate issues for the current 1.71 release which were

  • Two XSS attacks for security flaws in the IE6 browser.
  • Session Fixation attack

Thank you to security advisor Michal Tresner for reporting.

Exploits in the Wild: No known exploits yet. We strongly recommend to update as long it stays that way!

Solution: Update to the latest LimeSurvey 1.71+ Build 5147 or later version available from http://www.limesurvey.org

This security advisory refers to CVE-2008-2659 - LimeSurvey XSS candidate