Bootstrap upgrade

Mehr
2 Monate 2 Wochen her #187080 von Talsaady
Bootstrap upgrade wurde erstellt von Talsaady
hi, i am using Limesyrvay ver. 3.17.8 with bootstrap version 3.3.7 which has some vulnerabilities, and I am wondering if it will work with bootstrap version 4?

regards

Bitte Anmelden oder Registrieren um der Konversation beizutreten.

LimeSurvey Partners
Mehr
2 Monate 2 Wochen her #187113 von jelo
jelo antwortete auf Bootstrap upgrade

Talsaady schrieb: hi, i am using Limesyrvay ver. 3.17.8 with bootstrap version 3.3.7 which has some vulnerabilities

Can you provide some infos about the vulnerabilities? I recommend to open a bug report with LimeSurvey if you see a security issue running a survey with the shipped bootstrap package.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Folgende Benutzer bedankten sich: cdorin

Bitte Anmelden oder Registrieren um der Konversation beizutreten.

Mehr
2 Monate 2 Wochen her #187165 von Talsaady
Talsaady antwortete auf Bootstrap upgrade
Hello,
actually attached picture show our security scan result on our survey site.

regards,
Anhänge:

Bitte Anmelden oder Registrieren um der Konversation beizutreten.

Mehr
2 Monate 2 Wochen her #187166 von tpartner
tpartner antwortete auf Bootstrap upgrade
Please file a bug report

Cheers,
Tony Partner

Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
Official LimeSurvey Partner - partnersurveys.com

Bitte Anmelden oder Registrieren um der Konversation beizutreten.

Mehr
2 Monate 2 Wochen her #187168 von jelo
jelo antwortete auf Bootstrap upgrade
Thanks for your scan. I'm afraid that there are lot more javascript libraries bundled with LimeSurvey which are outdated. A look at github show e.g.
github.com/LimeSurvey/LimeSurvey/blob/ma.../js/source/jquery.js or github.com/LimeSurvey/LimeSurvey/blob/ma...ibs/jquery/jquery.js

It's not always the case that such libraries can be exploited. It depends a bit on how LimeSurvey has integrated the libraries. The impact can differ a lot.



JQuery
www.cvedetails.com/cve/CVE-2019-11358/

Bootstrap:
www.cvedetails.com/cve/CVE-2019-8331/
github.com/twbs/bootstrap/releases

You still should report your findings as tpartner already pointed out.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

Bitte Anmelden oder Registrieren um der Konversation beizutreten.

Mehr
2 Monate 2 Wochen her #187170 von DenisChenu
DenisChenu antwortete auf Bootstrap upgrade

jelo schrieb: JQuery
www.cvedetails.com/cve/CVE-2019-11358/

Unsure could be impacted (if XSS is on).

But we must remove/disable the old jquery.js file …

jelo schrieb: Bootstrap:
www.cvedetails.com/cve/CVE-2019-8331/
github.com/twbs/bootstrap/releases

Unsure could be impacted (if XSS is on)., less sure. XSS user can use class for tooltip, but don't know how to add XSS inside this tooltip.

Think we can easily update to github.com/twbs/bootstrap/releases/tag/v3.4.1

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
An error happen ? Before make a new topic : remind the Debug mode .

Bitte Anmelden oder Registrieren um der Konversation beizutreten.

Mehr
2 Monate 2 Wochen her #187189 von jelo
jelo antwortete auf Bootstrap upgrade

DenisChenu schrieb: Think we can easily update to github.com/twbs/bootstrap/releases/tag/v3.4.1

Correct, but how will LimeSurvey dev team monitor the impact from external libs.
The amount of external code is getting bigger and bigger.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

Bitte Anmelden oder Registrieren um der Konversation beizutreten.

Mehr
2 Monate 2 Wochen her #187191 von DenisChenu
DenisChenu antwortete auf Bootstrap upgrade
github.com/LimeSurvey/LimeSurvey/tree/master/tests

But here need a test for ranking and slider

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
An error happen ? Before make a new topic : remind the Debug mode .

Bitte Anmelden oder Registrieren um der Konversation beizutreten.

Mehr
2 Monate 4 Tage her #187628 von jelo
jelo antwortete auf Bootstrap upgrade
Looks like you need to provide an exploit to get an bootstrap update. Nice idea, but as a Saas provider the approach might be a bit risky.

bugs.limesurvey.org/view.php?id=15141#c53152

The mentioned XSS vulnerabilities are all dependent on an injection of code into specific target attributes on HTML-elements and thus very hard to do for non-administrative users in LimeSurvey.
For any of the mentioned vulnerabilities you can create an actual exploit for, we will work on fixing them accordingly. If necessary with an addition to core Bootstrap, or jQuery.


The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

Bitte Anmelden oder Registrieren um der Konversation beizutreten.

Jetzt loslegen!

Melden Sie sich jetzt an, und erstellen Sie in wenigen Minuten Ihre erste Umfrage.

Account einrichten

Abonnieren Sie unseren Newsletter

Abonnieren Sie unseren Newsletter für alle Neuigkeiten rund um LimeSurvey
captcha