Latest forum posts

More Topics »

LimeSurvey Security Advisory 2008/06/22

For the last couple months the LimeSurvey project has done a lot of self-imposed security audits on the LimeSurvey code base. (Thank you to the Ubuntu Server team for pointing out first issues and giving us a head start.)
During this process several security issues have been fixed in the source code which include:

  • Issues where variable manipulation was possible when register_globals in PHP is activated
  • Session Data injection & manipulation
  • Permanent & non-permanent XSS-issues where an attacker could try to gain access by injecting own javacript code into the application
  • Session related issues where a possible attacker could take over the session and/or gain higher access privileges    
Most of these issue were already fixed for 1.71 stable. (Affected versions: 1.70+ (all builds) and older)

On top of that we fixed two moderate issues for the current 1.71 release which were

  • Two XSS attacks for security flaws in the IE6 browser.
  • Session Fixation attack

Thank you to security advisor Michal Tresner for reporting.

Exploits in the Wild: No known exploits yet. We strongly recommend to update as long it stays that way!

Solution:
Update to the latest LimeSurvey 1.71+ Build 5147 or later version available from http://www.limesurvey.org

This security advisory refers to CVE-2008-2659 - LimeSurvey XSS candidate

d_b_1_1
b_g_ls_1_5

Supporters

Survey respondents needed? Book respondents from 40+ countries for your research survey.


demetra Demetra opinioni.net
- the gold standard CATI, CAWI and CAMI surveys


LimeSurvey cooperates with Statista – the Portal for Statistics and Surveys regarding the development of new modules


NuSPhere PhpEd logo
NuSphere supports the LimeSurvey project!

Get notified...

... on new releases. Subscribe to our RSS feed for LimeSurvey updates/releases:

rss RSS feed for LimeSurvey releases

Login

Who is online?

None
Donation Image