Insufficient Session Expiration in humhub/humhub
Sep 6th 2022
Existing sessions are not invalidated after a password change.
Proof of Concept
Steps to reproduce:
1. Log in to Humhub
2. Do the same in another browser or a private window, such that there are two different active sessions
3. Update the user's password in either of the two sessions
4. Observe that the other session is still active and was not invalidated
An old session can be used by an attacker even after the password has been changed. A password change is a way to react to an account breach and should guarantee that the attacker no longer has access. However, in this case the session is still active and the attacker can perform all actions tied to that session until it expires.