Server’s of LimeSurvey service was attacked by hackers

Specialists from the company RIPS Technologies found a dangerous vulnerability in the popular service for organizing online surveys LimeSurvey. vulnerability allow you to run arbitrary code on web servers.
LimeSurvey is a free open source Internet application. According to Securityweek, it is downloaded about 10 thousand times a month. Users install the client on their server and interact with the system through the web interface.

Two vulnerabilities were found. One of the vulnerability opens the possibility of Cross-Site Scripting (XSS) due to an error in the function of saving a survey draft. The researchers found that the service stores the user’s email address, which he later identifies the author of the unfinished material, in an unencrypted form.

Due to this bug, an hacker can access the questionnaire. To do this, he must run a malicious Java script in the victim’s browser – either by luring it to his site, or by waiting for user to download the draft survey in the control panel. After that, the hacker authenticates on behalf of the compromised user and can exploit the second vulnerability.

This vulnerability allows you to download and edit arbitrary LimeSurvey template files. Since the program does not clearly state the prohibition on changing service objects, it becomes possible to attack the “catalog bypass” type. An attacker can force an application to treat the index.php file as an editable template, thus capturing control of the program and gaining access to its server.

The identified problems are relevant for LimeSurvey version 2.72.3. According to the authors of the report, having received a description of the gaps in early November, the developer eliminated them within two days. The protected version of the distribution is 2.72.4, but experts recommend that users update to the December version 3.0.

The most common object by attacks of hackers are large web services and open source CMS which are used by millions of website owners.
So the protection of the site from attacks and web threats is simply necessary.