LimeSurvey Security Advisory 2008/06/22

Written on 22 June 2008. Posted in Security.

For the last couple months the LimeSurvey project has done a lot of self-imposed security audits on the LimeSurvey code base. (Thank you to the Ubuntu Server team for pointing out first issues and giving us a head start.)
During this process several security issues have been fixed in the source code which include:

Issues where variable manipulation was possible when register_globals in PHP is activated
Session Data injection & manipulation
Permanent & non-permanent XSS-issues where an attacker could try to gain access by injecting own javacript code into the application
Session related issues where a possible attacker could take over the session and/or gain higher access privileges

Most of these issue were already fixed for 1.71 stable. (Affected versions: 1.70+ (all builds) and older)

On top of that we fixed two moderate issues for the current 1.71 release which were

Two XSS attacks for security flaws in the IE6 browser.
Session Fixation attack

Thank you to security advisor Michal Tresner for reporting.

Exploits in the Wild: No known exploits yet. We strongly recommend to update as long it stays that way!

Solution: Update to the latest LimeSurvey 1.71+ Build 5147 or later version available from http://www.limesurvey.org

This security advisory refers to CVE-2008-2659 - LimeSurvey XSS candidate