- Posts: 1
- Thank you received: 1
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
limesurvey index.php p parameter exploit?
- explo1ted
- Topic Author
- Offline
- New Member
Less
More
9 years 3 months ago #115228
by explo1ted
limesurvey index.php p parameter exploit? was created by explo1ted
If you Google 'limesurvey viagra p parameter', you'll see a bunch of limesurvey sites with URLs such as:
iai-survey.iai.kit.edu/limesurvey/index.php?p=sales-of-viagra
Such URLs do a 302 redirect, in that case to some online pharmacy
On my own server, I can see the entries in classes/inputfilter/filters are evil, by base64decoding them.
Those entries appear to inject the dodgy URLs; for example, sportpanel.web.t4is.nl/limesurvey/index....omprar-viagra-online
But I haven't worked out what makes that URL redirect to the dodgy site.
No doubt this is a well known exploit; is that enough info to say which one, exactly?
iai-survey.iai.kit.edu/limesurvey/index.php?p=sales-of-viagra
Such URLs do a 302 redirect, in that case to some online pharmacy
On my own server, I can see the entries in classes/inputfilter/filters are evil, by base64decoding them.
Those entries appear to inject the dodgy URLs; for example, sportpanel.web.t4is.nl/limesurvey/index....omprar-viagra-online
But I haven't worked out what makes that URL redirect to the dodgy site.
No doubt this is a well known exploit; is that enough info to say which one, exactly?
The following user(s) said Thank You: Ben_V
The topic has been locked.
- Ben_V
- Offline
- Platinum Member
Less
More
- Posts: 1223
- Thank you received: 351
9 years 3 months ago - 9 years 3 months ago #115237
by Ben_V
and about 9,500 results for the query " v*ag*a limesurvey "
Thank you for reporting this security issue...
BTW there is a lot of surveys indexed by Google (and other major search engines). In my opinion a meta
<meta name="robots" content="none" /> should be added to all shipped templates... It's not a strong protection and only a part of all basic security settings, but it's a good start, useful to limit this kind of infection.
I think you've enough arguments to open a bug-tracker ticket
Benoît
EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
Last Releases => 2.6x.x goo.gl/ztWfIV | 2.06/2.6.x => bit.ly/1Qv44A1
Demo Surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
Replied by Ben_V on topic limesurvey index.php p parameter exploit?
About 2,030 results...explo1ted wrote: you'll see a bunch of limesurvey sites
and about 9,500 results for the query " v*ag*a limesurvey "
Thank you for reporting this security issue...
BTW there is a lot of surveys indexed by Google (and other major search engines). In my opinion a meta
<meta name="robots" content="none" /> should be added to all shipped templates... It's not a strong protection and only a part of all basic security settings, but it's a good start, useful to limit this kind of infection.
I think you've enough arguments to open a bug-tracker ticket
Benoît
EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
Last Releases => 2.6x.x goo.gl/ztWfIV | 2.06/2.6.x => bit.ly/1Qv44A1
Demo Surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
Last edit: 9 years 3 months ago by Ben_V.
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13935
- Thank you received: 2551
9 years 3 months ago #115242
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic limesurvey index.php p parameter exploit?
Hi,
For this one : jQuery JavaScript Library v1.4.2 then an old version in /limesurvey/scripts/jquery/ directory. Then a before 2.00 version .
For this one : jQuery JavaScript Library v1.4.2 then an old version in /limesurvey/scripts/jquery/ directory. Then a before 2.00 version .
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The following user(s) said Thank You: Ben_V
The topic has been locked.
- c_schmitz
- Offline
- LimeSurvey GmbH Employee
Less
More
- Posts: 329
- Thank you received: 89
9 years 3 months ago #115249
by c_schmitz
Best regards
Carsten Schmitz
LimeSurvey project leader
Replied by c_schmitz on topic limesurvey index.php p parameter exploit?
The first link is a 1.91 version. It looks like the software itself was changed as there is no such "p" parameter in 1.91. It was most likely attacked and modified by one of the other vulnerabilities existing in that old version. Sneaky, requires a change of only a few lines of code.
I would need to get access to the files of such an installation to have more info.
Maybe someone likes to set up a honeypot
I would need to get access to the files of such an installation to have more info.
Maybe someone likes to set up a honeypot
Best regards
Carsten Schmitz
LimeSurvey project leader
The topic has been locked.