Check out the LimeSurvey source code on GitHub!
Welcome, Guest
Username: Password:
  • Page:
  • 1
  • 2

TOPIC: Failed Security Scan - :dry: - Version 2.00+ Build 131022

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103220

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9264
  • Thank you received: 1320
  • Karma: 383
mas_carpone wrote:
Yes Denis, the latest build of 2.05 (released on 19 december)
OK, great.

If it's public survey : i think it's a false positive : we accept pseudo XSS .

Did the " Reported by module Scripting (XSS.script)" show more information ?

What tools is used here ?
(I have to install such tools ... i have onli one ;) ).

You can report a 'security' bug if you have more information.

Denis
Assistance on LimeSurvey forum and LimeSurvey core developpement are on my free time (Say thanks ?).
A bug not reported is a bug not corrected. | Please, read the documentation | La doc en français à besoin de vous
The administrator has disabled public write access.
The following user(s) said Thank You: mas_carpone

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103222

  • mas_carpone
  • mas_carpone's Avatar
  • Offline
  • Gold Lime
  • Posts: 187
  • Thank you received: 14
  • Karma: 3
This is FANTASTIC NEWS!

I have asked for the full "developer" report which I will share with you.
Soooo happy if that were the case!

Will let you know asap!
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103265

  • mas_carpone
  • mas_carpone's Avatar
  • Offline
  • Gold Lime
  • Posts: 187
  • Thank you received: 14
  • Karma: 3
So, back to you on this. The software used is Acunetix Website Audit.
There is more detailed information on 2 affected items, which I have copied here. I am of course happy to share the full report if there is a way to do so.

Affected items

Details
/index.php/admin/authentication/sa/forgotpassword
Cookie input YII_CSRF_TOKEN was set to iesv1lo99j7e1lf64bpevooig4_923200'():;932205
The input is reflected inside <script> tag between single quotes.

Requested headers
GET /index.php/admin/authentication/sa/forgotpassword HTTP/1.1
Cookie: PHPSESSID=iesv1lo99j7e1lf64bpevooig4;
YII_CSRF_TOKEN=iesv1lo99j7e1lf64bpevooig4_923200'():%3B932205
Referer: iim.who.int:80/
Host: iim.who.int
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: www.acunetix.com/wvs/disc.htm
Accept: */*


Details
/index.php/admin/authentication/sa/login
Cookie input YII_CSRF_TOKEN was set to iesv1lo99j7e1lf64bpevooig4_978679'():;998756
The input is reflected inside <script> tag between single quotes.


Requested header
GET /index.php/admin/authentication/sa/login HTTP/1.1
Cookie: PHPSESSID=iesv1lo99j7e1lf64bpevooig4;
YII_CSRF_TOKEN=iesv1lo99j7e1lf64bpevooig4_978679'():%3B998756
Referer: iim.who.int:80/
Host: iim.who.int
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: www.acunetix.com/wvs/disc.htm
Accept: */*
The administrator has disabled public write access.
The following user(s) said Thank You: DenisChenu

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103268

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9264
  • Thank you received: 1320
  • Karma: 383
crsfToken don't taken from $_cookies directly, Yii seem to filter it.

But bug fixed.
Assistance on LimeSurvey forum and LimeSurvey core developpement are on my free time (Say thanks ?).
A bug not reported is a bug not corrected. | Please, read the documentation | La doc en français à besoin de vous
The administrator has disabled public write access.
The following user(s) said Thank You: mas_carpone

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103271

  • mas_carpone
  • mas_carpone's Avatar
  • Offline
  • Gold Lime
  • Posts: 187
  • Thank you received: 14
  • Karma: 3
Denis, first of all, thanks a million for following up.

Can you let me know if you have been able to rescan the fixed version with Acunetix? And if so, how could I get that fixed here? Do I need to wait for the next release?

In any way, thanks again so much for your support!
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103278

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9264
  • Thank you received: 1320
  • Karma: 383
You give me all information I need :).

For acunetix : no time actually (and can only use unregitred version, an i think it don't work on linux :) ).

To test with the patch : you can directly download from github : github.com/LimeSurvey/LimeSurvey/archive/master.zip
Assistance on LimeSurvey forum and LimeSurvey core developpement are on my free time (Say thanks ?).
A bug not reported is a bug not corrected. | Please, read the documentation | La doc en français à besoin de vous
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103619

  • mas_carpone
  • mas_carpone's Avatar
  • Offline
  • Gold Lime
  • Posts: 187
  • Thank you received: 14
  • Karma: 3
Dear Denis, Colleagues,

Unfortuntely the test has highlighted further issues related to cross site scripting (grrrrrrr!).
I think unfortunatelly since my IT department can not link up directly with you I have everybody loose a lot of time on this... :(

We are trying to secure the help of a consultant on this that will sit in the IT department so he can test in the final environment and with the tools they are using here (what a pain... :( )

In any case I will ask that person of course to keep you all posted on this issue,

Sorry for all the trouble - guess I'm working for a particularly difficult organization unfortunately...
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103622

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9264
  • Thank you received: 1320
  • Karma: 383
Hi,
mas_carpone wrote:
Unfortuntely the test has highlighted further issues related to cross site scripting (grrrrrrr!).
We allways correct security bug in priority .

I don't understand: we do a lot of job for XSS in LimeSurvey.

Denis
Assistance on LimeSurvey forum and LimeSurvey core developpement are on my free time (Say thanks ?).
A bug not reported is a bug not corrected. | Please, read the documentation | La doc en français à besoin de vous
The administrator has disabled public write access.
The following user(s) said Thank You: mas_carpone

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103625

  • mas_carpone
  • mas_carpone's Avatar
  • Offline
  • Gold Lime
  • Posts: 187
  • Thank you received: 14
  • Karma: 3
Hi Denis,

The main problem here doesn't lie with the community at all. The tool is fantastic, and the more I use it the more I imagine new possible projects on which LS could play a big part... I am afraid our internal IT system is the issue here, I don't know :(

But I find myself facing a wall here... Apparently the latest test fed back more issues than the previous one and they have basically refused to re-test...

If there is a way to attach a document, I am happy to share the full developer report with you.
The administrator has disabled public write access.

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103627

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9264
  • Thank you received: 1320
  • Karma: 383
Hi,

Send me to denis<AT>sondages<DOT>pro , i send it to our bug report system.

Denis
Assistance on LimeSurvey forum and LimeSurvey core developpement are on my free time (Say thanks ?).
A bug not reported is a bug not corrected. | Please, read the documentation | La doc en français à besoin de vous
The administrator has disabled public write access.
The following user(s) said Thank You: mas_carpone

Failed Security Scan - :dry: - Version 2.00+ Build 131022 2 years 6 months ago #103629

  • mas_carpone
  • mas_carpone's Avatar
  • Offline
  • Gold Lime
  • Posts: 187
  • Thank you received: 14
  • Karma: 3
Done
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Moderators: ITEd
Time to create page: 0.228 seconds
Imprint                   Data Protection Statement                  Revocation information and revocation form