CVE-2024-42902
📋 TL;DR
This vulnerability allows attackers to execute arbitrary code on LimeSurvey servers by injecting malicious payloads into the lng parameter of the js_localize.php function. It affects LimeSurvey installations up to version 6.6.2. Attackers can potentially take full control of affected systems.
💻 Affected Systems
- LimeSurvey
📦 What is this software?
Limesurvey by Limesurvey
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, lateral movement, ransomware deployment, or persistent backdoor installation.
Likely Case
Remote code execution allowing attackers to deface websites, steal survey data, or use the server for malicious activities.
If Mitigated
Limited impact with proper network segmentation, WAF rules, and minimal privileges.
🎯 Exploit Status
Exploit code is publicly available in GitHub repositories. The vulnerability requires no authentication and has simple exploitation steps.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v6.6.3 or later
Vendor Advisory: https://bugs.limesurvey.org/view.php?id=19639
Restart Required: No
Instructions:
1. Backup your LimeSurvey installation and database. 2. Download the latest version from the official LimeSurvey website. 3. Replace the vulnerable js_localize.php file or upgrade the entire installation. 4. Verify the fix by checking the version number.
🔧 Temporary Workarounds
Remove vulnerable file
linuxDelete or rename the vulnerable js_localize.php file to prevent exploitation
rm /path/to/limesurvey/vendor/kcfinder/js_localize.php
Restrict access via web server
allBlock access to the vulnerable endpoint using web server configuration
# Apache: <Location "/vendor/kcfinder/js_localize.php">
Require all denied
</Location>
# Nginx: location ~ /vendor/kcfinder/js_localize\.php$ { deny all; }
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the LimeSurvey instance
- Deploy a web application firewall (WAF) with rules to block malicious lng parameter values
🔍 How to Verify
Check if Vulnerable:
Check if the file /vendor/kcfinder/js_localize.php exists in your LimeSurvey installation and examine its contents for the vulnerable code pattern.Check Version:
Check the version.txt file in your LimeSurvey root directory or view the admin panel version information.Verify Fix Applied:
Verify that the js_localize.php file has been updated or removed, and confirm your LimeSurvey version is 6.6.3 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual POST/GET requests to js_localize.php with long or encoded lng parameters
- Web server error logs showing PHP execution errors from the kcfinder directory
- System logs showing unexpected process execution from the web server user
Network Indicators:
- HTTP requests to /vendor/kcfinder/js_localize.php with suspicious lng parameter values
- Outbound connections from the LimeSurvey server to unknown IPs
SIEM Query:
source="web_server_logs" AND (uri="/vendor/kcfinder/js_localize.php" OR uri="/js_localize.php") AND (param="lng" AND length(value)>100)