checking uploaded files by antivirus software?

More
2 months 1 week ago #181395 by bewi
we had an security check for limesurvey and one topic was the missing check for malware in uploaded files.

So any admin could store malicious code in a file which gets inserted in a survey or in the backend where a superadmin could execute the code by chance so something bad could happen (enhancement of rights, ...)

One solution would be to check each upload and delete the file on a detection of malware, responding with an error message about bad upload.

Is there a hook /event a plugin can use to realize this?

what are the chances to get something like that into the code?

Please Log in or Create an account to join the conversation.

LimeSurvey Partners
More
2 months 1 week ago #181397 by DenisChenu
I don't think you can have malware on image files,

Then maybe restrict upload to only image file
github.com/LimeSurvey/LimeSurvey/blob/ma...fig-defaults.php#L87
github.com/LimeSurvey/LimeSurvey/blob/ma...fig-defaults.php#L89

You can set it to your own config.php file manual.limesurvey.org/Optional_settings#Introduction

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand .
An error happen ? Before make a new topic : remind the Debug mode .

Please Log in or Create an account to join the conversation.

More
2 months 1 week ago #181422 by jelo

DenisChenu wrote: I don't think you can have malware on image files,

Depends on the attack vector. E.g EXIF comment field can contain malware code.
blog.sucuri.net/2018/07/hiding-malware-i...ogleusercontent.html

But I wonder what scope the "security check" had. LimeSurvey isn't made for many users with different security levels. I don't see LimeSuvey able to secure all attack vectors (uploading LSS with malicious js code inside).

Which survey solution or webapplication offers an upload scanner by default? Which engine is used?

Similar to GoogleMap, an optional check via VirusTotal could be offered.
E.g. via github.com/IzzySoft/virustotal
But I'm not sure it is worth the hassle.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

Please Log in or Create an account to join the conversation.

More
2 months 1 week ago - 2 months 1 week ago #181430 by DenisChenu

jelo wrote:

DenisChenu wrote: I don't think you can have malware on image files,

Depends on the attack vector. E.g EXIF comment field can contain malware code.
blog.sucuri.net/2018/07/hiding-malware-i...ogleusercontent.html

Yes, OK : part of malware are inside comment.

BUT : you need another part (PHP part here) to decode this exif comment


The file by itself is still secure …

You can hide any bad contents on question text , but if you don't have a way to launch it : it still harmless…

I don't see LimeSuvey able to secure all attack vectors (uploading LSS with malicious js code inside).

I don't say it's perfect , but with XSS security to on (and not be a super-admin) : uploading lss are filtered for JS and other harmfull code (using htmlpurifier.org/ ).

If you can add any harmfull (and working) system with a non super-admin account (and no template edit allowed) : this must be reported as a security issue (and we fix it).

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand .
An error happen ? Before make a new topic : remind the Debug mode .
Last edit: 2 months 1 week ago by DenisChenu.

Please Log in or Create an account to join the conversation.

More
2 months 1 week ago #181452 by jelo

DenisChenu wrote: but with XSS security to on

XSS security would be working in a world without workarounds. LimeSurvey without workarounds is what?

Prerequisites to use LimeSurvey (if you want to use the average feature set of an average survey tool): XSS security off. Ajaxmode off.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

Please Log in or Create an account to join the conversation.

More
2 months 1 week ago #181453 by DenisChenu

jelo wrote:

DenisChenu wrote: but with XSS security to on

XSS security would be working in a world without workarounds. LimeSurvey without workarounds is what?

User who came on forum need very specific solution.

More than 95% of my survey is done without any workaround …

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand .
An error happen ? Before make a new topic : remind the Debug mode .

Please Log in or Create an account to join the conversation.

More
2 months 1 week ago - 2 months 1 week ago #181455 by jelo

DenisChenu wrote: More than 95% of my survey is done without any workaround …

People contacting you are already on LimeSurvey soil. Your customers can leave XSS on, cause they get a plugin installed ;-) I wonder if 95% of TPartners customers conduct surveys without any workaround.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Last edit: 2 months 1 week ago by jelo.

Please Log in or Create an account to join the conversation.

More
2 months 1 week ago #181463 by tpartner
I would say that 95% of my customers have customizations but only about half of those are what I would call "workarounds".

Cheers,
Tony Partner

Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
Official LimeSurvey Partner - partnersurveys.com

Please Log in or Create an account to join the conversation.

More
2 months 1 week ago - 2 months 1 week ago #181468 by DenisChenu

jelo wrote: Your customers can leave XSS on, cause they get a plugin installed ;-) .

No for public part :).

More : theme (without workaround) or management in PHP (no need JS).

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand .
An error happen ? Before make a new topic : remind the Debug mode .
Last edit: 2 months 1 week ago by DenisChenu.

Please Log in or Create an account to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now
Join our Newsletter!