This was published on the Mod_Survey mailing list a few minutes ago.
#########################################################
Mod_Survey Security Advisory 2004-03-21, Script injection
#########################################################
ABOUT MOD_SURVEY
----------------
Mod_Survey is an Apache module which displays and handles questionnaires
written in a special XML-based markup language. Mod_Survey is primarily
targeted towards Linux/Unix, but is also possible to run in Windows.
SUMMARY
-------
In all versions older than a 2004-03-21, it is possible for a remote
evil person to submit script code (such as JavaScript) along with his
normal answers. This could, for example, be exploitable to get access
to the password cookie used by the administrator of the survey, and
thereby read access to the submitted data.
ERROR CATEGORY
--------------
The error falls into the classes "Input Validation Error" and
"Script Injecion". It is possible to exploit remotely.
VULNERABLE
----------
In stable (3.0.x) branch:
All versions up to and including 3.0.16-pre1
In development (3.2.x) branch:
All versions up to and including 3.2.0-pre3
Not vulnerable:
3.0.16-pre2
3.2.0-pre4
SOLUTION
--------
Users of the stable branch are encouraged to upgrade to 3.0.16-pre2.
Users of the development branch are encourage to upgrade to 3.2.0-pre4
or to the current CVS version.
LONGER DISCUSSION
-----------------
Mod_Survey accepts arbitrary text-field type answers to be submitted by
a respondent. As the data backend usually does not care about what is
actually contained in these answers, very few illegal characters have
been filtered out from being saved. This is in itself not a major
problem.
However, when the administrator of the survey wants to download the
submitted data, he gets to choose between several different formats. One
of these is to download it as a HTML table.
Previously, the data was pasted straigh into the HTML output without any
filtering or escaping. To illustrate the problem, let's assume that the
respondent answered that his name was:
<script>alert('Hello there')</script>
..then the survey administrator would see an annoyingly displayed message
box every time he looked at the data through his browser.
The same approach would be valid for other export formats, such as the
SQL export and the XML export.
It has also been pointed out that a similar problem occurs in error
messages about malformed query strings in Mod_Survey. The conceivable
impact of this is limited, but the problem has been fixed as a part of
this security update. Further, steps have been taken to add an extra
layer of protection around the data backend.
The problem has been addressed differently in the two major branches of
Mod_Survey. In the stable branch, illegal characters are now blocked
altogether. It will thus not be possible to submit characters like <, >,
$ and '. Since earlier other characters such as ;, " and & have been
blocked. System administrators should be aware of this before upgrading
to the new version, as also legitimate uses of these characters are
blocked. This could cause some irritation amongst respondents. One
workaround if this becomes a problem is to set _SURVEY_PROTESTILLEGAL to
0, which will silently replace illegal characters with pipe signs rather
than whining at the respondent.
In the development branch, the solution has been to filter the output
rather than the input. Thus, each data export now keeps track of which
characters to filter out or escape. Thus, for example, the HTML export
will silently replace all "<" with "<".
EXPLOIT
-------
A proof of concept of the script injection problem has been written and
published by Niklas Deutschmann on the Mod_Survey mailing list. As this
involves no complicated coding and since anyone with some insight into
JavaScript immediately will understand how to exploit the flaw, there is
no reason to republish this exploit here. Please refer to the Mod_Survey
mailing list if you are interested.
IMPACT
------
Most surveys will be vulnerable to this. Surveys that only contain
numerical input fields will not be affected. Nor will this be a problem
in closed-sample surveys where the respondents are known and trusted.
In surveys where the administration part has been knowingly left open
so that respondents can view answers anyway, this will merely be a
minor annoyance.
All in all the impact must be characterized as severe.
CREDITS
-------
The problem was first discovered and discussed by Niklas Deutschmann,
who also wrote a proof of concept. BugAnt submitted the basic code for
solving the problem in the 3.2.x branch.
// Joel
