LimeSurvey Security Advisory 10/2015

More
6 years 3 months ago #127510 by c_schmitz
A vulnerability of high severity was found in LimeSurvey which...

Article cannot be shown

Best regards

Carsten Schmitz
LimeSurvey project leader
The topic has been locked.
More
6 years 3 months ago #127522 by fvanderstarre
Hi,
It's about issue #9969 ? I'm not allowed to view that in the bug tracker...
Need more information so as to convince my sysadmins why updating is so important!
Thx, Frank
The topic has been locked.
More
6 years 3 months ago - 6 years 3 months ago #127525 by Mazi
As a developer I can view the bugtracker ticket details. To put a long story short: this is the most serious Limesurvey security issue I have seen in the last 5-6 years. It enables hackers to access your config file via some hacks and that allows them to connect to your database. So this is really serious.

Besides updating to the latest Limesurvey 2.06 version another solution can be to rename (use a cryptic name) or backup and delete the update.php file from /limesurvey/application/controllers/admin

This will cause using ComfortUpdate later to fail (unless you restore the update.php file) but will close the door for any hackers as well.

You may also want to set "Automatically check for updates" to "never" at Global Settings -> Overview & Update to not confuse others (which are trying to use ComfortUpdate) by the error message which will show up due to the deleted/renamed file.

Best regards/Beste Grüße,
Dr. Marcel Minke
Need Help? We offer professional Limesurvey support
Contact: marcel.minke(at)survey-consulting.com
Want to use your survey offline -> www.offlinesurveys.com
Last edit: 6 years 3 months ago by Mazi.
The following user(s) said Thank You: fvanderstarre
The topic has been locked.
More
6 years 3 months ago #127529 by adridg
in the alert it is said that Affected Versions: All versions between 2.0+ (all builds) and 2.06+ Build 151014
and How to fix: Upgrade to LimeSurvey 2.06+ Build 151016 or later.
We stronlgy advise to upgrade to the latest 2.06+ version immediately

my LS version is LimeSurvey
Versão 2.06+ Build 150831

Do I still have to upgrade?
p.s.: when I enter LS as admin, it is show this message: LimeSurvey
Security Update ! a security update is available. Click here to use ComfortUpdate.

Thankx
The topic has been locked.
More
6 years 3 months ago #127530 by Mazi

my LS version is LimeSurvey
Versão 2.06+ Build 150831

Do I still have to upgrade?


Yes, you should do the update. The build number is actually a date stamp. Your version was released 2015-08-31 which is older than the recommended release of October 16th.

Best regards/Beste Grüße,
Dr. Marcel Minke
Need Help? We offer professional Limesurvey support
Contact: marcel.minke(at)survey-consulting.com
Want to use your survey offline -> www.offlinesurveys.com
The following user(s) said Thank You: adridg
The topic has been locked.

Start now!

Just create your account and start using Limesurvey today.

Register now