Bootstrap upgrade

Plus d'informations
il y a 1 mois 3 semaines #187080 par Talsaady
Bootstrap upgrade a été créé par Talsaady
hi, i am using Limesyrvay ver. 3.17.8 with bootstrap version 3.3.7 which has some vulnerabilities, and I am wondering if it will work with bootstrap version 4?

regards

Connexion ou Créer un compte pour participer à la conversation.

LimeSurvey Partners
Plus d'informations
il y a 1 mois 2 semaines #187113 par jelo
Réponse de jelo sur le sujet Bootstrap upgrade

Talsaady écrit: hi, i am using Limesyrvay ver. 3.17.8 with bootstrap version 3.3.7 which has some vulnerabilities

Can you provide some infos about the vulnerabilities? I recommend to open a bug report with LimeSurvey if you see a security issue running a survey with the shipped bootstrap package.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Les utilisateur(s) suivant ont remercié: cdorin

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 1 mois 2 semaines #187165 par Talsaady
Réponse de Talsaady sur le sujet Bootstrap upgrade
Hello,
actually attached picture show our security scan result on our survey site.

regards,
Pièces jointes :

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 1 mois 2 semaines #187166 par tpartner
Réponse de tpartner sur le sujet Bootstrap upgrade
Please file a bug report

Cheers,
Tony Partner

Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
Official LimeSurvey Partner - partnersurveys.com

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 1 mois 2 semaines #187168 par jelo
Réponse de jelo sur le sujet Bootstrap upgrade
Thanks for your scan. I'm afraid that there are lot more javascript libraries bundled with LimeSurvey which are outdated. A look at github show e.g.
github.com/LimeSurvey/LimeSurvey/blob/ma.../js/source/jquery.js or github.com/LimeSurvey/LimeSurvey/blob/ma...ibs/jquery/jquery.js

It's not always the case that such libraries can be exploited. It depends a bit on how LimeSurvey has integrated the libraries. The impact can differ a lot.



JQuery
www.cvedetails.com/cve/CVE-2019-11358/

Bootstrap:
www.cvedetails.com/cve/CVE-2019-8331/
github.com/twbs/bootstrap/releases

You still should report your findings as tpartner already pointed out.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 1 mois 2 semaines #187170 par DenisChenu
Réponse de DenisChenu sur le sujet Bootstrap upgrade

jelo écrit: JQuery
www.cvedetails.com/cve/CVE-2019-11358/

Unsure could be impacted (if XSS is on).

But we must remove/disable the old jquery.js file …

jelo écrit: Bootstrap:
www.cvedetails.com/cve/CVE-2019-8331/
github.com/twbs/bootstrap/releases

Unsure could be impacted (if XSS is on)., less sure. XSS user can use class for tooltip, but don't know how to add XSS inside this tooltip.

Think we can easily update to github.com/twbs/bootstrap/releases/tag/v3.4.1

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
An error happen ? Before make a new topic : remind the Debug mode .

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 1 mois 2 semaines #187189 par jelo
Réponse de jelo sur le sujet Bootstrap upgrade

DenisChenu écrit: Think we can easily update to github.com/twbs/bootstrap/releases/tag/v3.4.1

Correct, but how will LimeSurvey dev team monitor the impact from external libs.
The amount of external code is getting bigger and bigger.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 1 mois 2 semaines #187191 par DenisChenu
Réponse de DenisChenu sur le sujet Bootstrap upgrade
github.com/LimeSurvey/LimeSurvey/tree/master/tests

But here need a test for ranking and slider

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
An error happen ? Before make a new topic : remind the Debug mode .

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 1 mois 5 jours #187628 par jelo
Réponse de jelo sur le sujet Bootstrap upgrade
Looks like you need to provide an exploit to get an bootstrap update. Nice idea, but as a Saas provider the approach might be a bit risky.

bugs.limesurvey.org/view.php?id=15141#c53152

The mentioned XSS vulnerabilities are all dependent on an injection of code into specific target attributes on HTML-elements and thus very hard to do for non-administrative users in LimeSurvey.
For any of the mentioned vulnerabilities you can create an actual exploit for, we will work on fixing them accordingly. If necessary with an addition to core Bootstrap, or jQuery.


The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

Connexion ou Créer un compte pour participer à la conversation.

Commencez dès maintenant !

Créez simplement un compte et commencez à utiliser LimeSurvey dès aujourd'hui.

Inscrivez-vous maintenant

Inscrivez-vous à notre Newsletter!