Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Bootstrap upgrade

  • Talsaady
  • Talsaady's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
4 years 7 months ago #187080 by Talsaady
Bootstrap upgrade was created by Talsaady
hi, i am using Limesyrvay ver. 3.17.8 with bootstrap version 3.3.7 which has some vulnerabilities, and I am wondering if it will work with bootstrap version 4?

regards
The topic has been locked.
More
4 years 7 months ago #187113 by jelo
Replied by jelo on topic Bootstrap upgrade

Talsaady wrote: hi, i am using Limesyrvay ver. 3.17.8 with bootstrap version 3.3.7 which has some vulnerabilities

Can you provide some infos about the vulnerabilities? I recommend to open a bug report with LimeSurvey if you see a security issue running a survey with the shipped bootstrap package.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The following user(s) said Thank You: cdorin
The topic has been locked.
  • Talsaady
  • Talsaady's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
4 years 7 months ago #187165 by Talsaady
Replied by Talsaady on topic Bootstrap upgrade
Hello,
actually attached picture show our security scan result on our survey site.

regards,
The topic has been locked.
  • tpartner
  • tpartner's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
4 years 7 months ago #187166 by tpartner
Replied by tpartner on topic Bootstrap upgrade
Please file a bug report

Cheers,
Tony Partner

Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
The topic has been locked.
More
4 years 7 months ago #187168 by jelo
Replied by jelo on topic Bootstrap upgrade
Thanks for your scan. I'm afraid that there are lot more javascript libraries bundled with LimeSurvey which are outdated. A look at github show e.g.
github.com/LimeSurvey/LimeSurvey/blob/ma.../js/source/jquery.js or github.com/LimeSurvey/LimeSurvey/blob/ma...ibs/jquery/jquery.js

It's not always the case that such libraries can be exploited. It depends a bit on how LimeSurvey has integrated the libraries. The impact can differ a lot.



JQuery
www.cvedetails.com/cve/CVE-2019-11358/

Bootstrap:
www.cvedetails.com/cve/CVE-2019-8331/
github.com/twbs/bootstrap/releases

You still should report your findings as tpartner already pointed out.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
4 years 7 months ago #187170 by DenisChenu
Replied by DenisChenu on topic Bootstrap upgrade

jelo wrote: JQuery
www.cvedetails.com/cve/CVE-2019-11358/

Unsure could be impacted (if XSS is on).

But we must remove/disable the old jquery.js file …

jelo wrote: Bootstrap:
www.cvedetails.com/cve/CVE-2019-8331/
github.com/twbs/bootstrap/releases

Unsure could be impacted (if XSS is on)., less sure. XSS user can use class for tooltip, but don't know how to add XSS inside this tooltip.

Think we can easily update to github.com/twbs/bootstrap/releases/tag/v3.4.1

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
More
4 years 7 months ago #187189 by jelo
Replied by jelo on topic Bootstrap upgrade

DenisChenu wrote: Think we can easily update to github.com/twbs/bootstrap/releases/tag/v3.4.1

Correct, but how will LimeSurvey dev team monitor the impact from external libs.
The amount of external code is getting bigger and bigger.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
4 years 7 months ago #187191 by DenisChenu
Replied by DenisChenu on topic Bootstrap upgrade
github.com/LimeSurvey/LimeSurvey/tree/master/tests

But here need a test for ranking and slider

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
More
4 years 7 months ago #187628 by jelo
Replied by jelo on topic Bootstrap upgrade
Looks like you need to provide an exploit to get an bootstrap update. Nice idea, but as a Saas provider the approach might be a bit risky.

bugs.limesurvey.org/view.php?id=15141#c53152

The mentioned XSS vulnerabilities are all dependent on an injection of code into specific target attributes on HTML-elements and thus very hard to do for non-administrative users in LimeSurvey.
For any of the mentioned vulnerabilities you can create an actual exploit for, we will work on fixing them accordingly. If necessary with an addition to core Bootstrap, or jQuery.


The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose