Description
The RemoteControl API methods invite_participants and remind_participants pass a caller-supplied token-ID array into TokenDynamic::findUninvited(), which concatenates the values directly into a tid IN ('...') SQL clause without parameterization or input validation. A remote, authenticated attacker holding the tokens/update permission on a survey can inject a crafted array element to perform SQL injection. Because LimeSurvey configures its PDO connection with emulated prepared statements (emulatePrepare = true) and does not disable MySQL multi-statements, the injection supports stacked queries: the attacker can append arbitrary additional statements (INSERT/UPDATE/DELETE/DROP/CREATE) after the original SELECT. This permits both arbitrary read of any data in the database, such as administrator bcrypt password hashes (lime_users), survey response PII, session records, and global settings, all recoverable via a SLEEP() time-based blind oracle, and arbitrary write/destruction of that data, including directly overwriting the administrator password hash for immediate account takeover or dropping/truncating tables. Reads and writes extend to any schema the application's database user can access. The RemoteControl interface (RPCInterface = json/xml) must be enabled, which is not the default.
Problem types
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Product status
Any version
7.0.1 (custom)
Credits
McCaulay Hudson (@_McCaulay) of watchTowr
References
github.com/LimeSurvey/LimeSurvey/pull/5031 (GitHub Pull Request 5031)
www.limesurvey.org/ (Official Product Homepage)
www.vulncheck.com/...pants-remind-participants-sql-injection (VulnCheck Advisory: LimeSurvey RemoteControl invite_participants/remind_participants SQL Injection)