Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Security Advisory email prompting update but...

  • Danisusername
  • Danisusername's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
8 years 3 months ago #129270 by Danisusername
Hi there,

I received the following email from Lime survey in October...

"A vulnerability of high severity was found in LimeSurvey which enables an attacker to get unauthorized access to files and data of your LimeSurvey installation.

The LimeSurvey team thanks Pichaya Morimoto (discovery, analysis) from the SEC Consult Vulnerability Lab for responsibly reporting the identified issues and working with us as we addressed them.

Affected Versions: All versions between 2.0+ (all builds) and 2.06+ Build 151014

Severity: HIGH

How to fix: Upgrade to LimeSurvey 2.06+ Build 151016 or later."

I'm not sure how to go about updating because I did not download Lime Survey to my laptop. My Uni set me up with an account so I access Lime Survey via my Uni somehow and unfortunately there's no-one there offering support anymore. Can anyone shed any light on what, if anything I should do?

Many thanks,
Dani.
The topic has been locked.
  • holch
  • holch's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
8 years 3 months ago #129271 by holch
If you received the access to Limesurvey from your university, then there is little you can do, besides talking to the responsible for the instalation and convince him/her to update. As you say that there is no one to offer support, you have a little dilema. Because I would suggest not to run surveys (especially when it contains important/confidential data) on an installation that is not updated.

What you can do? Install your own Limesurvey installation on a webserver (actually no rocket science) or, if you are not up for taking care of your own Limesurvey installation, you could go with Limeservice.com, who would provide you with an up-to-date installation and you would pay per answer. Pricing is pretty competitive for the fact that you don't have to worry about anything, I think.

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

The topic has been locked.
  • Danisusername
  • Danisusername's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
8 years 3 months ago #129272 by Danisusername
Replied by Danisusername on topic Security Advisory email prompting update but...
Thank you very much for your reply. Although the data is confidential, there are no personal identifiers. Do you think I'm at risk of loosing the information? Also, if I download my own version, can I transfer all the info. from the existing survey, data and everything?
The topic has been locked.
  • holch
  • holch's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
8 years 3 months ago #129273 by holch
If you have a survey running at the moment, I would just do a backup quite frequently and try to finish the survey on the server your university is providing.

You could download the whole project and upload it to your own webserver (you can't run it from your notebook). If you have a little experience with installing web applications you probably do this in 10 minutes. The installation process of Limesurvey is fairly straight forward, even if you are not an expert.

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

The topic has been locked.
  • Danisusername
  • Danisusername's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
8 years 3 months ago #129274 by Danisusername
Replied by Danisusername on topic Security Advisory email prompting update but...
Great, thank you very much.
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose