LimeSurvey v2.00+ (build 131107) Script Insertion And SQL Injection Vulnerability

Title: LimeSurvey v2.00+ (build 131107) Script Insertion And SQL Injection Vulnerability
Advisory ID: ZSL-2013-5161
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data, Cross-Site Scripting
Risk: (3/5)
Release Date: 23.11.2013
Summary
LimeSurvey (formerly PHPSurveyor) is a free and open source on-line survey application written in PHP based on a MySQL, PostgreSQL or MSSQL database, distributed under the GNU General Public License. As a web server-based software it enables users to develop and publish on-line surveys, and collect responses, without doing any programming.
Description
LimeSurvey suffers from a stored cross-site scripting and SQL Injection vulnerability. Input passed to the 'label_name' POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Input passed to the 'group_name' POST parameter is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Vendor
LimeSurvey Project Team - http://www.limesurvey.org
Affected Version
2.00+ build 131009
2.00+ build 131022
2.00+ build 131031
2.00+ build 131107
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a
Vendor Status
[19.11.2013] Vulnerabilities discovered.
[22.11.2013] Vendor notified thru their bug tracking system with details.
[22.11.2013] Vendor confirms the issues, creating patch.
[22.11.2013] Vendor releases a fix (build 131122) to address these issues.
[23.11.2013] Coordinated public security advisory released.
PoC
limesurvey_sqlixss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://bugs.limesurvey.org/view.php?id=8398
[2] http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13491
[3] http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13494
[4] http://www.limesurvey.org/en/stable-release
[5] http://cxsecurity.com/issue/WLB-2013110162
[6] http://packetstormsecurity.com/files/124157
[7] http://www.securityfocus.com/bid/63919
[8] http://www.exploit-db.com/exploits/29789/
[9] http://www.osvdb.org/show/osvdb/100429
[10] http://www.osvdb.org/show/osvdb/100430
Changelog
[23.11.2013] - Initial release
[29.11.2013] - Added reference [6], [7] and [8]
[01.12.2013] - Added reference [9] and [10]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk