Improper Authorization in Export role function in limesurvey/limesurvey
Jun 28th 2023
The application controls user rights incorrectly, leading to the attacker being able to collect sensitive information.
Proof of Concept
Step1: The administrator user accesses the user role management function and performs the 'export role' operation.
Step2: Upon observation, a HTTP request GET /index.php?r=userRole/runExport&ptid=121 is seen performing the export task. Any user can directly accesses the path https://demo.limesurvey.org/index.php?r=userRole/runExport&ptid=121, and successfully downloads the exported role file.
The attacker only needs to change the ID arbitrarily to be able to download information about any user role.