Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

XSS Filter in Front End / user answering

More
9 years 10 months ago #128123 by albertosepe
Hi,
I am on LimerSurvey 2.06+ Build 151018 and have a simple one question per page survey where all questions are of long text type.
Someone pointed me out that a common panel user (no admin login but just token invited) can XSS attack the platform by injecting </textarea><script>javascript malicious code</script><textarea>(IE </textarea><script>alert(document.cookie)</script><textarea>) inside any answer. I have global XSS filter active both in admin configuration and config file. I searched docs and forums and didn't find anything useful in this case. It is really so? What can I do to prevent this?
The topic has been locked.
More
9 years 10 months ago #128131 by DenisChenu
Actually we are not informed of such attack.

User can enter this sentence in a textarea, but this not worling using LimeSurvey (public or admin) we filtering when we show it.

Someone must validate information before alerting you. ANd we have a bug report where security issue is fixed in less a day.

Denis

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member. - Professional support - Plugins, theme and development .
I don't answer to private message.
The topic has been locked.
More
9 years 10 months ago - 9 years 10 months ago #128147 by albertosepe
The fact is that I tried by myself and it worked! I can send you a link and token where you can reproduce if you think that it may be useful.
Perhaps i should open an issue in Mantis?

Actually it worked also here: survey.limesurvey.org/97793 . First screen, put malicious code in the textarea, click on next, click on "Administrative interface" from questions index and you will alert document.cookie.
Last edit: 9 years 10 months ago by albertosepe. Reason: More details
The topic has been locked.
More
9 years 10 months ago - 9 years 10 months ago #128148 by DenisChenu

albertosepe wrote: ...
Perhaps i should open an issue in Mantis?
....

Yes

Oh : better understand : Not in admin part, but in public part ... Your right : must be fixed .

Please : report the bug

PS : there are XSS protection, then user must really enter this sentence. Not sure what security we have here.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member. - Professional support - Plugins, theme and development .
I don't answer to private message.
Last edit: 9 years 10 months ago by DenisChenu.
The topic has been locked.
Moderators: holchtpartner

Lime-years ahead

Online-surveys for every purse and purpose