Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

limesurvey index.php p parameter exploit?

  • explo1ted
  • explo1ted's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
9 years 3 months ago #115228 by explo1ted
If you Google 'limesurvey viagra p parameter', you'll see a bunch of limesurvey sites with URLs such as:

iai-survey.iai.kit.edu/limesurvey/index.php?p=sales-of-viagra

Such URLs do a 302 redirect, in that case to some online pharmacy

On my own server, I can see the entries in classes/inputfilter/filters are evil, by base64decoding them.

Those entries appear to inject the dodgy URLs; for example, sportpanel.web.t4is.nl/limesurvey/index....omprar-viagra-online

But I haven't worked out what makes that URL redirect to the dodgy site.

No doubt this is a well known exploit; is that enough info to say which one, exactly?
The following user(s) said Thank You: Ben_V
The topic has been locked.
More
9 years 3 months ago - 9 years 3 months ago #115237 by Ben_V
Replied by Ben_V on topic limesurvey index.php p parameter exploit?

explo1ted wrote: you'll see a bunch of limesurvey sites

About 2,030 results...
and about 9,500 results for the query " v*ag*a limesurvey "

Thank you for reporting this security issue...
BTW there is a lot of surveys indexed by Google (and other major search engines). In my opinion a meta
<meta name="robots" content="none" /> should be added to all shipped templates... It's not a strong protection and only a part of all basic security settings, but it's a good start, useful to limit this kind of infection.

I think you've enough arguments to open a bug-tracker ticket ;)

Benoît

EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
Last Releases => 2.6x.x goo.gl/ztWfIV | 2.06/2.6.x => bit.ly/1Qv44A1
Demo Surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
Last edit: 9 years 3 months ago by Ben_V.
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
9 years 3 months ago #115242 by DenisChenu
Replied by DenisChenu on topic limesurvey index.php p parameter exploit?
Hi,

For this one : jQuery JavaScript Library v1.4.2 then an old version in /limesurvey/scripts/jquery/ directory. Then a before 2.00 version .

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The following user(s) said Thank You: Ben_V
The topic has been locked.
  • c_schmitz
  • c_schmitz's Avatar
  • Offline
  • LimeSurvey GmbH Employee
  • LimeSurvey GmbH Employee
More
9 years 3 months ago #115249 by c_schmitz
Replied by c_schmitz on topic limesurvey index.php p parameter exploit?
The first link is a 1.91 version. It looks like the software itself was changed as there is no such "p" parameter in 1.91. It was most likely attacked and modified by one of the other vulnerabilities existing in that old version. Sneaky, requires a change of only a few lines of code.
I would need to get access to the files of such an installation to have more info.

Maybe someone likes to set up a honeypot :-)

Best regards

Carsten Schmitz
LimeSurvey project leader
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose