Improper Authorization in Export role function in limesurvey/limesurvey

Valid

Reported on

Jun 28th 2023

Description

The application controls user rights incorrectly, leading to the attacker being able to collect sensitive information.

Proof of Concept

Step1: The administrator user accesses the user role management function and performs the 'export role' operation.

Untitled

Step2: Upon observation, a HTTP request GET /index.php?r=userRole/runExport&ptid=121 is seen performing the export task. Any user can directly accesses the path https://demo.limesurvey.org/index.php?r=userRole/runExport&ptid=121, and successfully downloads the exported role file.

Untitled

Impact

The attacker only needs to change the ID arbitrarily to be able to download information about any user role.

We are processing your report and will contact the limesurvey team within 24 hours. 3 months ago

aqngoc modified the report

3 months ago

Carsten Schmitz validated this vulnerability 3 months ago

aqngoc has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carsten Schmitz

commented 3 months ago

Maintainer

Internal reference number: #18927

Carsten Schmitz marked this as fixed in 6.1.7 with commit b4ae50 2 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Carsten Schmitz published this vulnerability 2 months ago

to join this conversation