Check out the LimeSurvey source code on GitHub!
Welcome, Guest
Username: Password:
  • Page:
  • 1
  • 2

TOPIC: Failed Security Scan - :dry: - Version 2.00+ Build 131022

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 7 months ago #102466

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9293
  • Thank you received: 1327
  • Karma: 384
Hi,

Think you must make a DB backup and a file backup before upgrading to the last 2.05 version, because you can not downgrade.
Another possibility is to give a try with:
- Update included jquery from 2.00 to blog.jquery.com/2011/09/12/jquery-1-6-4-released/ because it seems 1.6.4 don't have this issue
And test a lot all your survey.

I try in a own fork for 2014, don't have time actually.

Denis
Assistance on LimeSurvey forum and LimeSurvey core developpement are on my free time (Say thanks ?).
A bug not reported is a bug not corrected. | Please, read the documentation | La doc en français à besoin de vous
The administrator has disabled public write access.
The following user(s) said Thank You: mas_carpone

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 7 months ago #102472

  • mas_carpone
  • mas_carpone's Avatar
  • Offline
  • Gold Lime
  • Posts: 187
  • Thank you received: 14
  • Karma: 3
Thanks Denis,

Actually, all my IS are still on 1.92 - as we were not able to migrate since.
We should probably move to 2.05 directly then? Do you kow if jquery has been updated on 2.05?

Merci!

Samuel
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103157

  • mas_carpone
  • mas_carpone's Avatar
  • Offline
  • Gold Lime
  • Posts: 187
  • Thank you received: 14
  • Karma: 3
Hi All,

For information I have asked my IT colleagues to update again to the latest and re-run the security scan as advised (they are slowly getting mad at me though... :dry: ).

The initial problem mentioned in this thread seems to have been fixed since, however, I still have an issue to resolve around Cross site scripting


Reported by module Scripting (XSS.script)

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

Recommendation
Your script should filter metacharacters from user input.

My colleagues said this may even be a "False Positive" but that I needed to have this ascertained before they get the green light to install. They are tight on security issues as we have had problems in the past :(

Anyway, if anybody here can help we'd be very greatful! In parallel I am exploring the possibility of recruiting a developer to look at this as time is really running off...

Merci!
Last Edit: 2 years 6 months ago by mas_carpone.
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103159

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9293
  • Thank you received: 1327
  • Karma: 384
Hi,

They update to latest 2.05 version ?
Assistance on LimeSurvey forum and LimeSurvey core developpement are on my free time (Say thanks ?).
A bug not reported is a bug not corrected. | Please, read the documentation | La doc en français à besoin de vous
The administrator has disabled public write access.
The following user(s) said Thank You: mas_carpone

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103208

  • mas_carpone
  • mas_carpone's Avatar
  • Offline
  • Gold Lime
  • Posts: 187
  • Thank you received: 14
  • Karma: 3
Yes Denis, the latest build of 2.05 (released on 19 december)
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103220

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9293
  • Thank you received: 1327
  • Karma: 384
mas_carpone wrote:
Yes Denis, the latest build of 2.05 (released on 19 december)
OK, great.

If it's public survey : i think it's a false positive : we accept pseudo XSS .

Did the " Reported by module Scripting (XSS.script)" show more information ?

What tools is used here ?
(I have to install such tools ... i have onli one ;) ).

You can report a 'security' bug if you have more information.

Denis
Assistance on LimeSurvey forum and LimeSurvey core developpement are on my free time (Say thanks ?).
A bug not reported is a bug not corrected. | Please, read the documentation | La doc en français à besoin de vous
The administrator has disabled public write access.
The following user(s) said Thank You: mas_carpone

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103222

  • mas_carpone
  • mas_carpone's Avatar
  • Offline
  • Gold Lime
  • Posts: 187
  • Thank you received: 14
  • Karma: 3
This is FANTASTIC NEWS!

I have asked for the full "developer" report which I will share with you.
Soooo happy if that were the case!

Will let you know asap!
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103265

  • mas_carpone
  • mas_carpone's Avatar
  • Offline
  • Gold Lime
  • Posts: 187
  • Thank you received: 14
  • Karma: 3
So, back to you on this. The software used is Acunetix Website Audit.
There is more detailed information on 2 affected items, which I have copied here. I am of course happy to share the full report if there is a way to do so.

Affected items

Details
/index.php/admin/authentication/sa/forgotpassword
Cookie input YII_CSRF_TOKEN was set to iesv1lo99j7e1lf64bpevooig4_923200'():;932205
The input is reflected inside <script> tag between single quotes.

Requested headers
GET /index.php/admin/authentication/sa/forgotpassword HTTP/1.1
Cookie: PHPSESSID=iesv1lo99j7e1lf64bpevooig4;
YII_CSRF_TOKEN=iesv1lo99j7e1lf64bpevooig4_923200'():%3B932205
Referer: iim.who.int:80/
Host: iim.who.int
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: www.acunetix.com/wvs/disc.htm
Accept: */*


Details
/index.php/admin/authentication/sa/login
Cookie input YII_CSRF_TOKEN was set to iesv1lo99j7e1lf64bpevooig4_978679'():;998756
The input is reflected inside <script> tag between single quotes.


Requested header
GET /index.php/admin/authentication/sa/login HTTP/1.1
Cookie: PHPSESSID=iesv1lo99j7e1lf64bpevooig4;
YII_CSRF_TOKEN=iesv1lo99j7e1lf64bpevooig4_978679'():%3B998756
Referer: iim.who.int:80/
Host: iim.who.int
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: www.acunetix.com/wvs/disc.htm
Accept: */*
The administrator has disabled public write access.
The following user(s) said Thank You: DenisChenu

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103268

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9293
  • Thank you received: 1327
  • Karma: 384
crsfToken don't taken from $_cookies directly, Yii seem to filter it.

But bug fixed.
Assistance on LimeSurvey forum and LimeSurvey core developpement are on my free time (Say thanks ?).
A bug not reported is a bug not corrected. | Please, read the documentation | La doc en français à besoin de vous
The administrator has disabled public write access.
The following user(s) said Thank You: mas_carpone

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103271

  • mas_carpone
  • mas_carpone's Avatar
  • Offline
  • Gold Lime
  • Posts: 187
  • Thank you received: 14
  • Karma: 3
Denis, first of all, thanks a million for following up.

Can you let me know if you have been able to rescan the fixed version with Acunetix? And if so, how could I get that fixed here? Do I need to wait for the next release?

In any way, thanks again so much for your support!
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103278

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9293
  • Thank you received: 1327
  • Karma: 384
You give me all information I need :).

For acunetix : no time actually (and can only use unregitred version, an i think it don't work on linux :) ).

To test with the patch : you can directly download from github : github.com/LimeSurvey/LimeSurvey/archive/master.zip
Assistance on LimeSurvey forum and LimeSurvey core developpement are on my free time (Say thanks ?).
A bug not reported is a bug not corrected. | Please, read the documentation | La doc en français à besoin de vous
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103619

  • mas_carpone
  • mas_carpone's Avatar
  • Offline
  • Gold Lime
  • Posts: 187
  • Thank you received: 14
  • Karma: 3
Dear Denis, Colleagues,

Unfortuntely the test has highlighted further issues related to cross site scripting (grrrrrrr!).
I think unfortunatelly since my IT department can not link up directly with you I have everybody loose a lot of time on this... :(

We are trying to secure the help of a consultant on this that will sit in the IT department so he can test in the final environment and with the tools they are using here (what a pain... :( )

In any case I will ask that person of course to keep you all posted on this issue,

Sorry for all the trouble - guess I'm working for a particularly difficult organization unfortunately...
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103622

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9293
  • Thank you received: 1327
  • Karma: 384
Hi,
mas_carpone wrote:
Unfortuntely the test has highlighted further issues related to cross site scripting (grrrrrrr!).
We allways correct security bug in priority .

I don't understand: we do a lot of job for XSS in LimeSurvey.

Denis
Assistance on LimeSurvey forum and LimeSurvey core developpement are on my free time (Say thanks ?).
A bug not reported is a bug not corrected. | Please, read the documentation | La doc en français à besoin de vous
The administrator has disabled public write access.
The following user(s) said Thank You: mas_carpone

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103625

  • mas_carpone
  • mas_carpone's Avatar
  • Offline
  • Gold Lime
  • Posts: 187
  • Thank you received: 14
  • Karma: 3
Hi Denis,

The main problem here doesn't lie with the community at all. The tool is fantastic, and the more I use it the more I imagine new possible projects on which LS could play a big part... I am afraid our internal IT system is the issue here, I don't know :(

But I find myself facing a wall here... Apparently the latest test fed back more issues than the previous one and they have basically refused to re-test...

If there is a way to attach a document, I am happy to share the full developer report with you.
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103627

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9293
  • Thank you received: 1327
  • Karma: 384
Hi,

Send me to denis<AT>sondages<DOT>pro , i send it to our bug report system.

Denis
Assistance on LimeSurvey forum and LimeSurvey core developpement are on my free time (Say thanks ?).
A bug not reported is a bug not corrected. | Please, read the documentation | La doc en français à besoin de vous
The administrator has disabled public write access.
The following user(s) said Thank You: mas_carpone
  • Page:
  • 1
  • 2
Moderators: ITEd
Time to create page: 0.382 seconds
Imprint                   Data Protection Statement                  Revocation information and revocation form