checking uploaded files by antivirus software?

Mehr
2 Wochen 12 Stunden her #181395 von bewi
COM_KUNENA_MESSAGE_CREATED_NEW
we had an security check for limesurvey and one topic was the missing check for malware in uploaded files.

So any admin could store malicious code in a file which gets inserted in a survey or in the backend where a superadmin could execute the code by chance so something bad could happen (enhancement of rights, ...)

One solution would be to check each upload and delete the file on a detection of malware, responding with an error message about bad upload.

Is there a hook /event a plugin can use to realize this?

what are the chances to get something like that into the code?

Bitte Anmelden oder Registrieren um an der Konversation teilzunehmen.

LimeSurvey Partners
Mehr
2 Wochen 11 Stunden her #181397 von DenisChenu
COM_KUNENA_MESSAGE_REPLIED_NEW
I don't think you can have malware on image files,

Then maybe restrict upload to only image file
github.com/LimeSurvey/LimeSurvey/blob/ma...fig-defaults.php#L87
github.com/LimeSurvey/LimeSurvey/blob/ma...fig-defaults.php#L89

You can set it to your own config.php file manual.limesurvey.org/Optional_settings#Introduction

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Bitte Anmelden oder Registrieren um an der Konversation teilzunehmen.

Mehr
2 Wochen 2 Stunden her #181422 von jelo
COM_KUNENA_MESSAGE_REPLIED_NEW

DenisChenu schrieb: I don't think you can have malware on image files,

Depends on the attack vector. E.g EXIF comment field can contain malware code.
blog.sucuri.net/2018/07/hiding-malware-i...ogleusercontent.html

But I wonder what scope the "security check" had. LimeSurvey isn't made for many users with different security levels. I don't see LimeSuvey able to secure all attack vectors (uploading LSS with malicious js code inside).

Which survey solution or webapplication offers an upload scanner by default? Which engine is used?

Similar to GoogleMap, an optional check via VirusTotal could be offered.
E.g. via github.com/IzzySoft/virustotal
But I'm not sure it is worth the hassle.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

Bitte Anmelden oder Registrieren um an der Konversation teilzunehmen.

Mehr
1 Woche 6 Tage her - 1 Woche 6 Tage her #181430 von DenisChenu
COM_KUNENA_MESSAGE_REPLIED_NEW

jelo schrieb:

DenisChenu schrieb: I don't think you can have malware on image files,

Depends on the attack vector. E.g EXIF comment field can contain malware code.
blog.sucuri.net/2018/07/hiding-malware-i...ogleusercontent.html

Yes, OK : part of malware are inside comment.

BUT : you need another part (PHP part here) to decode this exif comment


The file by itself is still secure …

You can hide any bad contents on question text , but if you don't have a way to launch it : it still harmless…

I don't see LimeSuvey able to secure all attack vectors (uploading LSS with malicious js code inside).

I don't say it's perfect , but with XSS security to on (and not be a super-admin) : uploading lss are filtered for JS and other harmfull code (using htmlpurifier.org/ ).

If you can add any harmfull (and working) system with a non super-admin account (and no template edit allowed) : this must be reported as a security issue (and we fix it).

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .
Last edit: 1 Woche 6 Tage her by DenisChenu.

Bitte Anmelden oder Registrieren um an der Konversation teilzunehmen.

Mehr
1 Woche 6 Tage her #181452 von jelo
COM_KUNENA_MESSAGE_REPLIED_NEW

DenisChenu schrieb: but with XSS security to on

XSS security would be working in a world without workarounds. LimeSurvey without workarounds is what?

Prerequisites to use LimeSurvey (if you want to use the average feature set of an average survey tool): XSS security off. Ajaxmode off.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

Bitte Anmelden oder Registrieren um an der Konversation teilzunehmen.

Mehr
1 Woche 6 Tage her #181453 von DenisChenu
COM_KUNENA_MESSAGE_REPLIED_NEW

jelo schrieb:

DenisChenu schrieb: but with XSS security to on

XSS security would be working in a world without workarounds. LimeSurvey without workarounds is what?

User who came on forum need very specific solution.

More than 95% of my survey is done without any workaround …

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Bitte Anmelden oder Registrieren um an der Konversation teilzunehmen.

Mehr
1 Woche 6 Tage her - 1 Woche 6 Tage her #181455 von jelo
COM_KUNENA_MESSAGE_REPLIED_NEW

DenisChenu schrieb: More than 95% of my survey is done without any workaround …

People contacting you are already on LimeSurvey soil. Your customers can leave XSS on, cause they get a plugin installed ;-) I wonder if 95% of TPartners customers conduct surveys without any workaround.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Last edit: 1 Woche 6 Tage her by jelo.

Bitte Anmelden oder Registrieren um an der Konversation teilzunehmen.

Mehr
1 Woche 6 Tage her #181463 von tpartner
COM_KUNENA_MESSAGE_REPLIED_NEW
I would say that 95% of my customers have customizations but only about half of those are what I would call "workarounds".

Cheers,
Tony Partner
Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.

Bitte Anmelden oder Registrieren um an der Konversation teilzunehmen.

Mehr
1 Woche 6 Tage her - 1 Woche 6 Tage her #181468 von DenisChenu
COM_KUNENA_MESSAGE_REPLIED_NEW

jelo schrieb: Your customers can leave XSS on, cause they get a plugin installed ;-) .

No for public part :).

More : theme (without workaround) or management in PHP (no need JS).

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .
Last edit: 1 Woche 6 Tage her by DenisChenu.

Bitte Anmelden oder Registrieren um an der Konversation teilzunehmen.

Jetzt loslegen!

Melden Sie sich jetzt an, und erstellen Sie in wenigen Minuten Ihre erste Umfrage.

Account einrichten

Abonnieren Sie unseren Newsletter

Abonnieren Sie unseren Newsletter für alle Neuigkeiten rund um LimeSurvey
captcha