Page MenuHomePhabricator

Security Auditing for LimeSurvey (for the benefit of all installations like WMI-LimeSurvey)
Open, MediumPublic

Description

Preamble

Just after landing the WMI LimeSurvey initiative (T274837) in an attempt to be pro-active and propose solid Free software solutions for Wikimedia contributors, an user raised a concern about the security of the LimeSurvey software itself:

Security issues were found the previous two times wmf looked at from my understanding and that was without doing a full security review process....
― K. Peachey https://lists.wikimedia.org/pipermail/wikimedia-l/2021-February/096280.html

This is not a comment we should underestimate. For example ~5 years ago the Wikimedia Foundation didn't adopt LimeSurvey also for that reason (T109606: Re-evaluate Limesurvey ) and for the same reasons many other entities may adopt proprietary software like Qualtrics or Google Form, relying on the excuse of not having any credible alternative available (although there are QuickSurvey and nextCloud Forms which may be more audited - irrelevant topic - but that anyway are not as complete as LimeSurvey and they don't try to be).

Proposed solution

Do security auditing on LimeSurvey.

This security auditing will assure a valid alternative to Qualtrics, Google Forms or any other proprietary software, service, or Service as a Software Sobstitute may be born in the morning promising breathtaking safety thanks to the (questionable) arguments raised from these companies relying on security through obscurity.

This means:

  • understand what kind of security auditing has already been done on LimeSurvey
  • understand who can invest to take care on the remaining
  • 2021-04-27 provided cybersecurity economic estimate
  • 2021-05-12 inform LimeSurvey GmbH about our intentions
  • 2021-05-18 setup a fresh LimeSurvey Community Edition to be bombed
  • 2021-06-07 start planned cybersecurity activity
  • 2021-06-11 conclude cybersecurity activity
  • report found security bugs to LimeSurvey GmbH
  • understand remediation strategies with upstream
  • the world (and WMF) begins to trust LimeSurvey more again

In the meanwhile I can make sure that Wikimedia Italia will reward anyone who finds any security bug in their WMI-LimeSurvey instance to promote healthy cooperation for a better Internet.

WARNING: I remind that, anyhow, any unauthorized access to a computer system is punished also by the Italian legislative system, and up to three years in prison. So, if you are able to break Wikimedia Italia security measures, you are not automagically authorized to download all the administrators' emails and post them on social networks to then ask a biscuit in return from Wikimedia Italia for your magical services.

Event Timeline

Here are some sample relevant links from a quick research on LimeSurvey and code injection:

I didn't go in deep details, nor width spectrum but a high level overview seem to indicate that LimeSurvey do have code injection vulnerabilities points (XSS, SQL…) appearing in its code base here and there from time to time. That's not great, but not unusual in software industry and reveals more an improvable development/review/test process than a total lake of concern for the subject of security. On the contrary, the maintainers seem to take the reported bugs in considerations and seem to fix them (stats on median time to fix a security bug would be nice, but would require more time than I had to throw at it for now). The official bug tracker also have an option to pay for treating a bug, which seems to indicate a rather mature professional environment to back specific demands.

I didn't found any relevant reference about a report opened by the WMF it in the bug tracker (looking for terms like Wikipedia, Wikimedia and WMF). So it would be good if Tim Starling could give us more feedback on that point, as according to Philippe Beaudette it's the person who found the vulnerabilities and stashed the tool out of the Wikimedia software stack for understable security reasons. Feel free to ping them here if you know they have some account on Phabricator.

@tstarling and @Philippe are the tags you were looking for, just FYI.

Update. Italian Linux Society requested a price quotation to a cybersecurity company and there is consensus to carry out an initial security auditing soon.

understand what kind of security auditing has already been done on LimeSurvey by Wikimedia Foundation

Uhm. Apologies for the ping @Elitre but do you know someone who could tell us something about this point? I was not able to find any related information from the wikimedia-l mailing list. Thank you dear :)

Update. In two weeks the cybersecurity company commissioned by Italian Linux Society will begin their auditing on LimeSurvey CE.


Small digression. Talking about our preferences on their level of invasiveness.. the answer was more or less...

Take your biggest catapult and PULL - THAT - TRIGGER.

Did we have fun saying it? Yup.

This is in progress on the latest version of LimeSurvey CE right now.

understand what kind of security auditing has already been done on LimeSurvey by Wikimedia Foundation

Uhm. Apologies for the ping @Elitre but do you know someone who could tell us something about this point? I was not able to find any related information from the wikimedia-l mailing list. Thank you dear :)

Sorry, per my profile, pings on Phab aren't the most reliable way to reach out to me. I recommend you contact @LMixter .

@valerio.bozzolan Was this audit completed and, if so, were its findings published anywhere?

NOTE: Historical note: Wikimedia Foundation has finally adopted LimeSurvey (as a service)! Yeah!

https://wikimediafoundation.limesurvey.net/

https://meta.wikimedia.org/wiki/LimeSurvey

Since it's provided as a service, security management is in charge of LimeSurvey GmbH itself.

BTW yep, the first round on the community edition was completed. With Italian Linux Society we need some time to remove some personal data and obtain consent for publication under a free license before being able to share it in the best way.

Anyway the report does not contain anything particularly outrageous: if you install LimeSurvey CE, the general recommendation is to check best practices about security headers and stay up to date.

I'll update soon.

Fantastic news, thank you Valerio!