Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

vulnerabilities

  • mariodona1069
  • mariodona1069's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
3 months 2 weeks ago #266774 by mariodona1069
vulnerabilities was created by mariodona1069
Please help us help you and fill where relevant:
LimeSurvey version: [see right hand bottom of your LimeSurvey admin screen]
Own server or LimeSurvey Cloud:
Survey theme/template:
==================
Hi.
I am scanning the code with fortify, and it shows me more than 2000 issues, like Cross-Site Scripting, Dynamic Code Evaluation: Code Injection, Insecure Transport and Path Manipulation. Many of them are false positives, but some when trying to block the vulnerability with functions like htmlspecialchar, some windows do not appear when I am browsing the system. My question is: how can I protect my information or server without editing the code?

Please Log in to join the conversation.

  • c_schmitz
  • c_schmitz's Avatar
  • Offline
  • LimeSurvey GmbH Employee
  • LimeSurvey GmbH Employee
More
3 months 2 weeks ago - 3 months 2 weeks ago #266775 by c_schmitz
Replied by c_schmitz on topic vulnerabilities
Hello Mario,

since LimeSurvey is Open Source its code have been scanned many times over, by humans and machine tools, and is being vetted regularly.

I can tell you for sure that the tool you are using is producing only useless false positives. I would not worry about that.

However, sometimes a new issue is found. But these found in recent times is usually something that would allow a logged-in admin to do something that might trick another admin into doing something they don't want - these issues are usually classified as low risk, because the setup of such a scenario is tricky and usually a long shot for an attacker.

There are hundreds of thousands LimeSurvey installations out there, besides the ones we host - if there was any medium or high serious issue we would know quickly.

So if you don't allow unknown people into your installation as administrators and update regularly I think there is a close to zero risk anything bad will happen.

I would say it is even as much as important that your webserver is set up properly.
 

Best regards

Carsten Schmitz
LimeSurvey project leader
Last edit: 3 months 2 weeks ago by c_schmitz.
The following user(s) said Thank You: DenisChenu

Please Log in to join the conversation.

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team & Official Partner
  • LimeSurvey Community Team & Official Partner
More
3 months 2 weeks ago #266787 by DenisChenu
Replied by DenisChenu on topic vulnerabilities

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member. - Professional support - Plugins, theme and development .
I don't answer to private message.

Please Log in to join the conversation.

Moderators: holchtpartner

Lime-years ahead

Online-surveys for every purse and purpose