Improper access control could make any user export all user of website in humhub/humhub
Reported on
Apr 13th 2022
Description
A user who has to change their password after logging in can export the website's user data.
Proof of Concept
Step 1: login to website by admin account and change password of a user. Check the box "Force password change upon next login" and save.
Step 2: login to website by the account you just change the password. You will see a change password page.
Step 3: go to the link: domain/admin/user/export?format=xlsx. You will see this account can export the data of users without admin privilege.
You may try it out on ncsctest.humhub.com, which is my demo site. After logging in, a user tester / 123123 will be forced to change their password. You can view the export file humhub user.xlsx at https://ncsctest.humhub.com/admin/user/export?format=xlsx.
Impact
As a result, the attacker may be able to acquire data from all users on the website.
Occurrences
Thanks for the report. We can confirm the error and are working on a solution.