Insufficient Session Expiration in humhub/humhub

Valid

Reported on

Sep 6th 2022


Description

Existing sessions are not invalidated after a password change.

Proof of Concept

Steps to reproduce:

1. Log in to Humhub
2. Do the same in another browser or a private window, such that there are two different active sessions
3. Update the user's password in either of the two sessions
4. Observe that the other session is still active and was not invalidated

Impact

An old session can be used by an attacker even after the password has been changed. A password change is a way to react to an account breach and should guarantee that the attacker no longer has access. However, in this case the session is still active and the attacker can perform all actions tied to that session until it expires.

Occurrences

Active sessions should be invalidated after a password change.

We are processing your report and will contact the humhub team within 24 hours. 3 months ago
We have contacted a member of the humhub team and are waiting to hear back 3 months ago
Lucas Bartholemy validated this vulnerability 3 months ago
vautia has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the humhub team. We will try again in 7 days. 3 months ago
We have sent a second fix follow up to the humhub team. We will try again in 10 days. 3 months ago
Lucas Bartholemy marked this as fixed in 1.13 with commit 1ed388 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation