LimeSurvey Security Advisory 02/2018IMPORTANT: There has been a highly critical issue uncovered which allows an attacker to gain access to your Limesurvey installation and probably webspace. Type of issue The issue lets an attacker gain access to your LimeSurvey configuration file by using a vulnerability of the LimeSurvey Installer.The vulnerability was uncovered by the NguyenVan Tien Thanh (@yeuchimse) from Viettel Cyber Security Center and we are very grateful for the responsible disclosure. Affected LimeSurvey versions This issue affects all LimeSurvey versions starting from 2.x.Note: The LimeSurvey Professional hosting services are/were NOT affected. Exploits in the Wild There is currently no known exploit in the wild. Advised solution Update as soon as possible! There are two possible ways to resolve this issue: The quick way: This way works for all versions: Delete the file /application/controller/InstallerController.php from your LimeSurvey directory. This file is not needed by LimeSurvey anymore after installation. The update way:We prepared different update versions to keep the impact as small as possible: If you are using 2.6.x LTS, use ComfortUpdate to update to 2.6.7 LTS. If you are using 2.7x.x, use ComfortUpdate to update to version 2.73.1 or download version 2.73.1 here. If you are using 3.x, use ComfortUpdate to version 3.4.2 or download 3.4.2 here. Recommendations We recommend to use one of the advised solutions as soon as possible. Though there are no known exploits in the wild, there might very well be some coming soon.
- Détails
- Catégorie : Sécurité
A vulnerability of high severity was found in LimeSurvey which enables an attacker to get unauthorized access to files and data of your LimeSurvey installation. The LimeSurvey team thanks Pichaya Morimoto (discovery, analysis) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them. Affected Versions: All versions between 2.0+ (all builds) and 2.06+ Build 151014 Severity: HIGH How to fix: Upgrade to LimeSurvey 2.06+ Build 151016 or later. We stronlgy advise to upgrade to the latest 2.06+ version immediately, either manually or using ComfortUpdate.
- Détails
- Catégorie : Sécurité
In LimeSurvey there existed a vulnerability (CVE-2014-6227) that allows an attacker to gain superadministrator access to the LimeSurvey application. This issue affects all 2.00 versions and all 2.05 versions before build 140821. All newer builds of 2.05 (starting with build 140821) are not affected. Although there is currently no known exploit in the wild we strongly recommend to update all older versions to the latest LimeSurvey version immediately. After update you should check for unknown administrator accounts in LimeSurvey. Note: If you are a LimeService user you don't need to worry as we make sure (before anything else) that LimeService always uses the latest build/security patches.
- Détails
- Catégorie : Sécurité
There has been a issue uncovered with the latest LimeSurvey versions. Type of issue: Security issue by that an attacker get access to your LimeSurvey administration and files and can possibly change these - this allows for remote execution and data disclosure. Affected LimeSurvey versions: - LimeSurvey 1.80RC4, 1.80, 1.80+, 1.81, 1.81+ (all Builds) (released around January-April 2009) Exploits in the Wild: This issue was discoverd during a security audit by Dan Schwister (thank you Dan!). Therefore there is no exploit in the wild (yet). Advised solution: Update as soon as possible to the latest LimeSurvey 1.82 or later version available from http://www.limesurvey.org Quick fix: Remove the /admin/remotecontrol/ directory to disable the security problem.
- Détails
- Catégorie : Sécurité
There has been a issue uncovered with an older LimeSurvey version, namely Version 1.71+. Type of issue: A version of FCKeditor (namely 2.6.2) which was used at the time inside the LimeSurvey software appears to have a security issue by that an attacker get access to your files and change these. Affected LimeSurvey versions: - LimeSurvey 1.71+ in the range of Build 5245 to 5496 (released around March-April 2008) Exploits in the Wild: Unspecified exploit does exist - please refer to this forum topic for further details Advised solution: Update to the latest LimeSurvey 1.80+ or later version available from http://www.limesurvey.org Recommendations: Check other PHP files on the same webspace for infections of the same kind.
- Détails
- Catégorie : Blog
Nous sommes heureux de vous annoncer que nous avons été acceptés pour l'événement Google Summer of Code 2009 en tant qu'organisation de référence ! Si vous êtes un étudiant intéressé, veuillez regarder du coté de nos pages Wiki du Google Summer of Code, pour notre page d'idées et notre liste d'idées et notre forum de discussion pour y partager vos pensées. Dites-nous si vous seriez interessé pour assumer une de ces tâches ou, si vous avez une meilleure idée, pour aider au dévelopement de LimeSurvey 2. La course a commencé !
- Détails
- Catégorie : Blog
Veuillez jeter un oeil à cette petite vidéo, réalisée grâce au moteur code_swarm, qui vous expliquera la quantité de travail fournie au cours des 6 dernières années pour LimeSurvey. Chaque particule qui apparait ou clignote représente un fichier édité ou ajouté. La meilleure façon d'apprécier cette vidéo est de la regarder en plein écran (et en HD !). C'est particulièrement spectaculaire au moment où le développement de LimeSurvey 2 commence. Cliquez ici pour le lien direct sur Vimeo. Merci à tous les contributeurs !
- Détails
- Catégorie : Sécurité
For the last couple months the LimeSurvey project has done a lot of self-imposed security audits on the LimeSurvey code base. (Thank you to the Ubuntu Server team for pointing out first issues and giving us a head start.)During this process several security issues have been fixed in the source code which include: Issues where variable manipulation was possible when register_globals in PHP is activated Session Data injection & manipulation Permanent & non-permanent XSS-issues where an attacker could try to gain access by injecting own javacript code into the application Session related issues where a possible attacker could take over the session and/or gain higher access privileges Most of these issue were already fixed for 1.71 stable. (Affected versions: 1.70+ (all builds) and older) On top of that we fixed two moderate issues for the current 1.71 release which were Two XSS attacks for security flaws in the IE6 browser. Session Fixation attack Thank you to security advisor Michal Tresner for reporting.Exploits in the Wild: No known exploits yet. We strongly recommend to update as long it stays that way! Solution: Update to the latest LimeSurvey 1.71+ Build 5147 or later version available from http://www.limesurvey.org This security advisory refers to CVE-2008-2659 - LimeSurvey XSS candidate