checking uploaded files by antivirus software?

Plus d'informations
il y a 2 semaines 5 jours #181395 par bewi
COM_KUNENA_MESSAGE_CREATED_NEW
we had an security check for limesurvey and one topic was the missing check for malware in uploaded files.

So any admin could store malicious code in a file which gets inserted in a survey or in the backend where a superadmin could execute the code by chance so something bad could happen (enhancement of rights, ...)

One solution would be to check each upload and delete the file on a detection of malware, responding with an error message about bad upload.

Is there a hook /event a plugin can use to realize this?

what are the chances to get something like that into the code?

Connexion ou Créer un compte pour participer à la conversation.

LimeSurvey Partners
Plus d'informations
il y a 2 semaines 5 jours #181397 par DenisChenu
COM_KUNENA_MESSAGE_REPLIED_NEW
I don't think you can have malware on image files,

Then maybe restrict upload to only image file
github.com/LimeSurvey/LimeSurvey/blob/ma...fig-defaults.php#L87
github.com/LimeSurvey/LimeSurvey/blob/ma...fig-defaults.php#L89

You can set it to your own config.php file manual.limesurvey.org/Optional_settings#Introduction

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 semaines 5 jours #181422 par jelo
COM_KUNENA_MESSAGE_REPLIED_NEW

DenisChenu écrit: I don't think you can have malware on image files,

Depends on the attack vector. E.g EXIF comment field can contain malware code.
blog.sucuri.net/2018/07/hiding-malware-i...ogleusercontent.html

But I wonder what scope the "security check" had. LimeSurvey isn't made for many users with different security levels. I don't see LimeSuvey able to secure all attack vectors (uploading LSS with malicious js code inside).

Which survey solution or webapplication offers an upload scanner by default? Which engine is used?

Similar to GoogleMap, an optional check via VirusTotal could be offered.
E.g. via github.com/IzzySoft/virustotal
But I'm not sure it is worth the hassle.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 semaines 4 jours - il y a 2 semaines 4 jours #181430 par DenisChenu
COM_KUNENA_MESSAGE_REPLIED_NEW

jelo écrit:

DenisChenu écrit: I don't think you can have malware on image files,

Depends on the attack vector. E.g EXIF comment field can contain malware code.
blog.sucuri.net/2018/07/hiding-malware-i...ogleusercontent.html

Yes, OK : part of malware are inside comment.

BUT : you need another part (PHP part here) to decode this exif comment


The file by itself is still secure …

You can hide any bad contents on question text , but if you don't have a way to launch it : it still harmless…

I don't see LimeSuvey able to secure all attack vectors (uploading LSS with malicious js code inside).

I don't say it's perfect , but with XSS security to on (and not be a super-admin) : uploading lss are filtered for JS and other harmfull code (using htmlpurifier.org/ ).

If you can add any harmfull (and working) system with a non super-admin account (and no template edit allowed) : this must be reported as a security issue (and we fix it).

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .
Last edit: il y a 2 semaines 4 jours by DenisChenu.

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 semaines 4 jours #181452 par jelo
COM_KUNENA_MESSAGE_REPLIED_NEW

DenisChenu écrit: but with XSS security to on

XSS security would be working in a world without workarounds. LimeSurvey without workarounds is what?

Prerequisites to use LimeSurvey (if you want to use the average feature set of an average survey tool): XSS security off. Ajaxmode off.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 semaines 4 jours #181453 par DenisChenu
COM_KUNENA_MESSAGE_REPLIED_NEW

jelo écrit:

DenisChenu écrit: but with XSS security to on

XSS security would be working in a world without workarounds. LimeSurvey without workarounds is what?

User who came on forum need very specific solution.

More than 95% of my survey is done without any workaround …

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 semaines 4 jours - il y a 2 semaines 4 jours #181455 par jelo
COM_KUNENA_MESSAGE_REPLIED_NEW

DenisChenu écrit: More than 95% of my survey is done without any workaround …

People contacting you are already on LimeSurvey soil. Your customers can leave XSS on, cause they get a plugin installed ;-) I wonder if 95% of TPartners customers conduct surveys without any workaround.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Last edit: il y a 2 semaines 4 jours by jelo.

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 semaines 4 jours #181463 par tpartner
COM_KUNENA_MESSAGE_REPLIED_NEW
I would say that 95% of my customers have customizations but only about half of those are what I would call "workarounds".

Cheers,
Tony Partner
Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 semaines 4 jours - il y a 2 semaines 4 jours #181468 par DenisChenu
COM_KUNENA_MESSAGE_REPLIED_NEW

jelo écrit: Your customers can leave XSS on, cause they get a plugin installed ;-) .

No for public part :).

More : theme (without workaround) or management in PHP (no need JS).

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .
Last edit: il y a 2 semaines 4 jours by DenisChenu.

Connexion ou Créer un compte pour participer à la conversation.

Commencez dès maintenant !

Créez simplement un compte et commencez à utiliser LimeSurvey dès aujourd'hui.

Inscrivez-vous maintenant

Inscrivez-vous à notre Newsletter!