A couple of vulnerabilities affecting the popular online survey tool LimeSurvey can be exploited by remote attackers to execute malicious code and take control of web servers with little or no user interaction, researchers warn.
LimeSurvey is a free and open source tool that allows users to create online surveys. The software is downloaded roughly 10,000 times every month and is used by individuals and organizations worldwide.
Researchers at RIPS Technologies discovered two potentially serious flaws in LimeSurvey version 2.72.3.
One of the security holes is a persistent cross-site scripting (XSS) issue that affects the “resume later” feature, which allows users to save partially completed surveys and reload them by providing an email address and password.
The attacker can exploit the vulnerability to perform various actions on behalf of the authenticated user.
The second vulnerability is an arbitrary file write issue that allows an attacker to upload a malicious file by abusing LimeSurvey’s template editor. Exploiting this flaw requires authentication, but that can be achieved using the XSS bug.
According to RIPS researchers, the vulnerabilities can be chained into a single payload that gives the attacker control over the targeted web server.
LimeSurvey developers patched the vulnerabilities in November 2017 with the release of version 2.72.4, just two days after the issues were reported. However, RIPS has advised users to update LimeSurvey to the latest release of version 3.