- Posts: 2
- Thank you received: 0
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
XSS Filter in Front End / user answering
- albertosepe
- Topic Author
- Offline
- New Member
Less
More
8 years 5 months ago #128123
by albertosepe
XSS Filter in Front End / user answering was created by albertosepe
Hi,
I am on LimerSurvey 2.06+ Build 151018 and have a simple one question per page survey where all questions are of long text type.
Someone pointed me out that a common panel user (no admin login but just token invited) can XSS attack the platform by injecting </textarea><script>javascript malicious code</script><textarea>(IE </textarea><script>alert(document.cookie)</script><textarea>) inside any answer. I have global XSS filter active both in admin configuration and config file. I searched docs and forums and didn't find anything useful in this case. It is really so? What can I do to prevent this?
I am on LimerSurvey 2.06+ Build 151018 and have a simple one question per page survey where all questions are of long text type.
Someone pointed me out that a common panel user (no admin login but just token invited) can XSS attack the platform by injecting </textarea><script>javascript malicious code</script><textarea>(IE </textarea><script>alert(document.cookie)</script><textarea>) inside any answer. I have global XSS filter active both in admin configuration and config file. I searched docs and forums and didn't find anything useful in this case. It is really so? What can I do to prevent this?
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13620
- Thank you received: 2488
8 years 5 months ago #128131
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic XSS Filter in Front End / user answering
Actually we are not informed of such attack.
User can enter this sentence in a textarea, but this not worling using LimeSurvey (public or admin) we filtering when we show it.
Someone must validate information before alerting you. ANd we have a bug report where security issue is fixed in less a day.
Denis
User can enter this sentence in a textarea, but this not worling using LimeSurvey (public or admin) we filtering when we show it.
Someone must validate information before alerting you. ANd we have a bug report where security issue is fixed in less a day.
Denis
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
- albertosepe
- Topic Author
- Offline
- New Member
Less
More
- Posts: 2
- Thank you received: 0
8 years 5 months ago - 8 years 5 months ago #128147
by albertosepe
Replied by albertosepe on topic XSS Filter in Front End / user answering
The fact is that I tried by myself and it worked! I can send you a link and token where you can reproduce if you think that it may be useful.
Perhaps i should open an issue in Mantis?
Actually it worked also here: survey.limesurvey.org/97793 . First screen, put malicious code in the textarea, click on next, click on "Administrative interface" from questions index and you will alert document.cookie.
Perhaps i should open an issue in Mantis?
Actually it worked also here: survey.limesurvey.org/97793 . First screen, put malicious code in the textarea, click on next, click on "Administrative interface" from questions index and you will alert document.cookie.
Last edit: 8 years 5 months ago by albertosepe. Reason: More details
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13620
- Thank you received: 2488
8 years 5 months ago - 8 years 5 months ago #128148
by DenisChenu
Oh : better understand : Not in admin part, but in public part ... Your right : must be fixed .
Please : report the bug
PS : there are XSS protection, then user must really enter this sentence. Not sure what security we have here.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic XSS Filter in Front End / user answering
Yesalbertosepe wrote: ...
Perhaps i should open an issue in Mantis?
....
Oh : better understand : Not in admin part, but in public part ... Your right : must be fixed .
Please : report the bug
PS : there are XSS protection, then user must really enter this sentence. Not sure what security we have here.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Last edit: 8 years 5 months ago by DenisChenu.
The topic has been locked.