LimeSurvey Security Advisory 10/2015

More
2 years 1 month ago #127510 by c_schmitz
c_schmitz created the topic: LimeSurvey Security Advisory 10/2015
A vulnerability of high severity was found in LimeSurvey which...

A vulnerability of high severity was found in LimeSurvey which enables an attacker to get unauthorized access to files and data of your LimeSurvey installation.

The LimeSurvey team thanks Pichaya Morimoto (discovery, analysis) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them.

Affected Versions: All versions between 2.0+ (all builds) and 2.06+ Build 151014

Severity: HIGH

How to fix: Upgrade to LimeSurvey 2.06+ Build 151016 or later.

We stronlgy advise to upgrade to the latest 2.06+ version immediately, either manually or  using ComfortUpdate.


Best regards

Carsten Schmitz
LimeSurvey project leader

Please Log in to join the conversation.

More
2 years 1 month ago #127522 by fvanderstarre
fvanderstarre replied the topic: LimeSurvey Security Advisory 10/2015
Hi,
It's about issue #9969 ? I'm not allowed to view that in the bug tracker...
Need more information so as to convince my sysadmins why updating is so important!
Thx, Frank

Please Log in to join the conversation.

More
2 years 1 month ago - 2 years 1 month ago #127525 by Mazi
Mazi replied the topic: LimeSurvey Security Advisory 10/2015
As a developer I can view the Bugtracker ticket details. To put a long story short: this is the most serious Limesurvey security issue I have seen in the last 5-6 years. It enables hackers to access your config file via some hacks and that allows them to connect to your database. So this is really serious.

Besides updating to the latest Limesurvey 2.06 version another solution can be to rename (use a cryptic name) or backup and delete the update.php file from /limesurvey/application/controllers/admin

This will cause using ComfortUpdate later to fail (unless you restore the update.php file) but will close the door for any hackers as well.

You may also want to set "Automatically check for updates" to "never" at Global Settings -> Overview & Update to not confuse others (which are trying to use ComfortUpdate) by the error message which will show up due to the deleted/renamed file.


Best regards/Beste Grüße,
Dr. Marcel Minke
(Limesurvey Head of Support)
Need Help? We offer professional Limesurvey support
Contact: marcel.minke(at)survey-consulting.com'"
Last Edit: 2 years 1 month ago by Mazi.
The following user(s) said Thank You: fvanderstarre

Please Log in to join the conversation.

More
2 years 1 month ago #127529 by adridg
adridg replied the topic: LimeSurvey Security Advisory 10/2015
in the alert it is said that Affected Versions: All versions between 2.0+ (all builds) and 2.06+ Build 151014
and How to fix: Upgrade to LimeSurvey 2.06+ Build 151016 or later.
We stronlgy advise to upgrade to the latest 2.06+ version immediately

my LS version is LimeSurvey
Versão 2.06+ Build 150831

Do I still have to upgrade?
p.s.: when I enter LS as admin, it is show this message: LimeSurvey
Security Update ! a security update is available. Click here to use ComfortUpdate.

Thankx

Please Log in to join the conversation.

More
2 years 1 month ago #127530 by Mazi
Mazi replied the topic: LimeSurvey Security Advisory 10/2015

adridg wrote: my LS version is LimeSurvey
Versão 2.06+ Build 150831

Do I still have to upgrade?


Yes, you should do the update. The build number is actually a date stamp. Your version was released 2015-08-31 which is older than the recommended release of October 16th.


Best regards/Beste Grüße,
Dr. Marcel Minke
(Limesurvey Head of Support)
Need Help? We offer professional Limesurvey support
Contact: marcel.minke(at)survey-consulting.com'"
The following user(s) said Thank You: adridg

Please Log in to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now
Join our Newsletter!