Latest forum posts

More Topics »

LimeSurvey Security Advisory 2008/06/22

For the last couple months the LimeSurvey project has done a lot of self-imposed security audits on the LimeSurvey code base. (Thank you to the Ubuntu Server team for pointing out first issues and giving us a head start.)
During this process several security issues have been fixed in the source code which include:

  • Issues where variable manipulation was possible when register_globals in PHP is activated
  • Session Data injection & manipulation
  • Permanent & non-permanent XSS-issues where an attacker could try to gain access by injecting own javacript code into the application
  • Session related issues where a possible attacker could take over the session and/or gain higher access privileges    
Most of these issue were already fixed for 1.71 stable. (Affected versions: 1.70+ (all builds) and older)

On top of that we fixed two moderate issues for the current 1.71 release which were

  • Two XSS attacks for security flaws in the IE6 browser.
  • Session Fixation attack

Thank you to security advisor Michal Tresner for reporting.

Exploits in the Wild: No known exploits yet. We strongly recommend to update as long it stays that way!

Update to the latest LimeSurvey 1.71+ Build 5147 or later version available from

This security advisory refers to CVE-2008-2659 - LimeSurvey XSS candidate



Survey respondents needed? Book respondents from 40+ countries for your research survey.

NuSPhere PhpEd logo
NuSphere supports the LimeSurvey project!

Get notified...

... on new releases. Subscribe to our RSS feed for LimeSurvey updates/releases:

rss RSS feed for LimeSurvey releases


Who is online?

Donation Image