A couple of vulnerabilities affecting the popular online survey tool LimeSurvey can be exploited by remote attackers to execute malicious code and take control of web servers with little or no user interaction, researchers warn.
LimeSurvey is a free and open source tool that allows users to create online surveys. The software is downloaded roughly 10,000 times every month and is used by individuals and organizations worldwide.
Researchers at RIPS Technologies discovered two potentially serious flaws in LimeSurvey version 2.72.3.
One of the security holes is a persistent cross-site scripting (XSS) issue that affects the “resume later” feature, which allows users to save partially completed surveys and reload them by providing an email address and password.
The email address field was not properly sanitized, allowing an attacker to inject malicious JavaScript code that would get executed when a user visited a specific web page – the attacker can lure a victim to this web page – or when an administrator viewed the partially saved data in the control panel.
The attacker can exploit the vulnerability to perform various actions on behalf of the authenticated user.
The second vulnerability is an arbitrary file write issue that allows an attacker to upload a malicious file by abusing LimeSurvey’s template editor. Exploiting this flaw requires authentication, but that can be achieved using the XSS bug.
According to RIPS researchers, the vulnerabilities can be chained into a single payload that gives the attacker control over the targeted web server.
“The vulnerability chaining [...] yields a single final exploit which would add malicious JavaScript code to the admin panel through the Continue Later functionality of a public survey,” explained RIPS researcher Robin Peraglie. “As soon as the JavaScript payload is executed in the administrator context it can exploit the arbitrary file write vulnerability to give the adversary persistent shell access to the operating system remotely to maximize impact.”
LimeSurvey developers patched the vulnerabilities in November 2017 with the release of version 2.72.4, just two days after the issues were reported. However, RIPS has advised users to update LimeSurvey to the latest release of version 3.