we had an security check for limesurvey and one topic was the missing check for malware in uploaded files.

So any admin could store malicious code in a file which gets inserted in a survey or in the backend where a superadmin could execute the code by chance so something bad could happen (enhancement of rights, ...)

One solution would be to check each upload and delete the file on a detection of malware, responding with an error message about bad upload.

Is there a hook /event a plugin can use to realize this?

what are the chances to get something like that into the code?

I don't think you can have malware on image files,

Then maybe restrict upload to only image file
github.com/LimeSurvey/LimeSurvey/blob/ma...fig-defaults.php#L87
github.com/LimeSurvey/LimeSurvey/blob/ma...fig-defaults.php#L89

You can set it to your own config.php file www.limesurvey.org/manual/Optional_settings#Introduction

DenisChenu wrote: I don't think you can have malware on image files,

Depends on the attack vector. E.g EXIF comment field can contain malware code.
blog.sucuri.net/2018/07/hiding-malware-i...ogleusercontent.html

But I wonder what scope the "security check" had. LimeSurvey isn't made for many users with different security levels. I don't see LimeSuvey able to secure all attack vectors (uploading LSS with malicious js code inside).

Which survey solution or webapplication offers an upload scanner by default? Which engine is used?

Similar to GoogleMap, an optional check via VirusTotal could be offered.
E.g. via github.com/IzzySoft/virustotal
But I'm not sure it is worth the hassle.

jelo wrote:

DenisChenu wrote: I don't think you can have malware on image files,

Depends on the attack vector. E.g EXIF comment field can contain malware code.
blog.sucuri.net/2018/07/hiding-malware-i...ogleusercontent.html

Yes, OK : part of malware are inside comment.

BUT : you need another part (PHP part here) to decode this exif comment


The file by itself is still secure …

You can hide any bad contents on question text , but if you don't have a way to launch it : it still harmless…

I don't see LimeSuvey able to secure all attack vectors (uploading LSS with malicious js code inside).

I don't say it's perfect , but with XSS security to on (and not be a super-admin) : uploading lss are filtered for JS and other harmfull code (using htmlpurifier.org/ ).

If you can add any harmfull (and working) system with a non super-admin account (and no template edit allowed) : this must be reported as a security issue (and we fix it).

DenisChenu wrote: but with XSS security to on

XSS security would be working in a world without workarounds. LimeSurvey without workarounds is what?

Prerequisites to use LimeSurvey (if you want to use the average feature set of an average survey tool): XSS security off. Ajaxmode off.

jelo wrote:

DenisChenu wrote: but with XSS security to on

XSS security would be working in a world without workarounds. LimeSurvey without workarounds is what?

User who came on forum need very specific solution.

More than 95% of my survey is done without any workaround …

DenisChenu wrote: More than 95% of my survey is done without any workaround …

People contacting you are already on LimeSurvey soil. Your customers can leave XSS on, cause they get a plugin installed I wonder if 95% of TPartners customers conduct surveys without any workaround.

I would say that 95% of my customers have customizations but only about half of those are what I would call "workarounds".

jelo wrote: Your customers can leave XSS on, cause they get a plugin installed .

No for public part .

More : theme (without workaround) or management in PHP (no need JS).