limesurvey index.php p parameter exploit?

More
2 years 10 months ago #115228 by explo1ted
explo1ted created the topic: limesurvey index.php p parameter exploit?
If you Google 'limesurvey viagra p parameter', you'll see a bunch of limesurvey sites with URLs such as:

iai-survey.iai.kit.edu/limesurvey/index.php?p=sales-of-viagra

Such URLs do a 302 redirect, in that case to some online pharmacy

On my own server, I can see the entries in classes/inputfilter/filters are evil, by base64decoding them.

Those entries appear to inject the dodgy URLs; for example, sportpanel.web.t4is.nl/limesurvey/index....omprar-viagra-online

But I haven't worked out what makes that URL redirect to the dodgy site.

No doubt this is a well known exploit; is that enough info to say which one, exactly?
The following user(s) said Thank You: Ben_V

Please Log in to join the conversation.

More
2 years 10 months ago - 2 years 10 months ago #115237 by Ben_V
Ben_V replied the topic: limesurvey index.php p parameter exploit?

explo1ted wrote: you'll see a bunch of limesurvey sites

About 2,030 results...
and about 9,500 results for the query " v*ag*a limesurvey "

Thank you for reporting this security issue...
BTW there is a lot of surveys indexed by Google (and other major search engines). In my opinion a meta
<meta name="robots" content="none" /> should be added to all shipped templates... It's not a strong protection and only a part of all basic security settings, but it's a good start, useful to limit this kind of infection.

I think you've enough arguments to open a bug-tracker ticket ;)

Benoît

EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
Last Releases => 2.6x.x goo.gl/ztWfIV | 2.06/2.6.x => bit.ly/1Qv44A1
Demo Surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
Last Edit: 2 years 10 months ago by Ben_V.

Please Log in to join the conversation.

More
2 years 10 months ago #115242 by DenisChenu
DenisChenu replied the topic: limesurvey index.php p parameter exploit?
Hi,

For this one : jQuery JavaScript Library v1.4.2 then an old version in /limesurvey/scripts/jquery/ directory. Then a before 2.00 version .

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .
The following user(s) said Thank You: Ben_V

Please Log in to join the conversation.

More
2 years 10 months ago #115249 by c_schmitz
c_schmitz replied the topic: limesurvey index.php p parameter exploit?
The first link is a 1.91 version. It looks like the software itself was changed as there is no such "p" parameter in 1.91. It was most likely attacked and modified by one of the other vulnerabilities existing in that old version. Sneaky, requires a change of only a few lines of code.
I would need to get access to the files of such an installation to have more info.

Maybe someone likes to set up a honeypot :-)

Best regards

Carsten Schmitz
LimeSurvey project leader

Please Log in to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now