Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

checking uploaded files by antivirus software?

  • bewi
  • bewi's Avatar Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
5 years 2 weeks ago #181395 by bewi
we had an security check for limesurvey and one topic was the missing check for malware in uploaded files.

So any admin could store malicious code in a file which gets inserted in a survey or in the backend where a superadmin could execute the code by chance so something bad could happen (enhancement of rights, ...)

One solution would be to check each upload and delete the file on a detection of malware, responding with an error message about bad upload.

Is there a hook /event a plugin can use to realize this?

what are the chances to get something like that into the code?
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 2 weeks ago #181397 by DenisChenu
Replied by DenisChenu on topic checking uploaded files by antivirus software?
I don't think you can have malware on image files,

Then maybe restrict upload to only image file
github.com/LimeSurvey/LimeSurvey/blob/ma...fig-defaults.php#L87
github.com/LimeSurvey/LimeSurvey/blob/ma...fig-defaults.php#L89

You can set it to your own config.php file manual.limesurvey.org/Optional_settings#Introduction

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
More
5 years 2 weeks ago #181422 by jelo

DenisChenu wrote: I don't think you can have malware on image files,

Depends on the attack vector. E.g EXIF comment field can contain malware code.
blog.sucuri.net/2018/07/hiding-malware-i...ogleusercontent.html

But I wonder what scope the "security check" had. LimeSurvey isn't made for many users with different security levels. I don't see LimeSuvey able to secure all attack vectors (uploading LSS with malicious js code inside).

Which survey solution or webapplication offers an upload scanner by default? Which engine is used?

Similar to GoogleMap, an optional check via VirusTotal could be offered.
E.g. via github.com/IzzySoft/virustotal
But I'm not sure it is worth the hassle.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 2 weeks ago - 5 years 2 weeks ago #181430 by DenisChenu
Replied by DenisChenu on topic checking uploaded files by antivirus software?

jelo wrote:

DenisChenu wrote: I don't think you can have malware on image files,

Depends on the attack vector. E.g EXIF comment field can contain malware code.
blog.sucuri.net/2018/07/hiding-malware-i...ogleusercontent.html

Yes, OK : part of malware are inside comment.

BUT : you need another part (PHP part here) to decode this exif comment


The file by itself is still secure …

You can hide any bad contents on question text , but if you don't have a way to launch it : it still harmless…

I don't see LimeSuvey able to secure all attack vectors (uploading LSS with malicious js code inside).

I don't say it's perfect , but with XSS security to on (and not be a super-admin) : uploading lss are filtered for JS and other harmfull code (using htmlpurifier.org/ ).

If you can add any harmfull (and working) system with a non super-admin account (and no template edit allowed) : this must be reported as a security issue (and we fix it).

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Last edit: 5 years 2 weeks ago by DenisChenu.
The topic has been locked.
More
5 years 2 weeks ago #181452 by jelo

DenisChenu wrote: but with XSS security to on

XSS security would be working in a world without workarounds. LimeSurvey without workarounds is what?

Prerequisites to use LimeSurvey (if you want to use the average feature set of an average survey tool): XSS security off. Ajaxmode off.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 2 weeks ago #181453 by DenisChenu
Replied by DenisChenu on topic checking uploaded files by antivirus software?

jelo wrote:

DenisChenu wrote: but with XSS security to on

XSS security would be working in a world without workarounds. LimeSurvey without workarounds is what?

User who came on forum need very specific solution.

More than 95% of my survey is done without any workaround …

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
More
5 years 2 weeks ago - 5 years 2 weeks ago #181455 by jelo

DenisChenu wrote: More than 95% of my survey is done without any workaround …

People contacting you are already on LimeSurvey soil. Your customers can leave XSS on, cause they get a plugin installed ;-) I wonder if 95% of TPartners customers conduct surveys without any workaround.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Last edit: 5 years 2 weeks ago by jelo.
The topic has been locked.
  • tpartner
  • tpartner's Avatar
  • Away
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 2 weeks ago #181463 by tpartner
Replied by tpartner on topic checking uploaded files by antivirus software?
I would say that 95% of my customers have customizations but only about half of those are what I would call "workarounds".

Cheers,
Tony Partner

Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 2 weeks ago - 5 years 2 weeks ago #181468 by DenisChenu
Replied by DenisChenu on topic checking uploaded files by antivirus software?

jelo wrote: Your customers can leave XSS on, cause they get a plugin installed ;-) .

No for public part :).

More : theme (without workaround) or management in PHP (no need JS).

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Last edit: 5 years 2 weeks ago by DenisChenu.
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose