Improper Authorization in Export role function in limesurvey/limesurvey

Valid

Reported on

Jun 28th 2023


Description

The application controls user rights incorrectly, leading to the attacker being able to collect sensitive information.

Proof of Concept

Step1: The administrator user accesses the user role management function and performs the 'export role' operation.

Untitled

Step2: Upon observation, a HTTP request GET /index.php?r=userRole/runExport&ptid=121 is seen performing the export task. Any user can directly accesses the path https://demo.limesurvey.org/index.php?r=userRole/runExport&ptid=121, and successfully downloads the exported role file.

Untitled

Impact

The attacker only needs to change the ID arbitrarily to be able to download information about any user role.

We are processing your report and will contact the limesurvey team within 24 hours. 8 months ago
aqngoc modified the report
8 months ago
Carsten Schmitz validated this vulnerability 8 months ago
aqngoc has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz
8 months ago

Internal reference number: #18927

Carsten Schmitz marked this as fixed in 6.1.7 with commit b4ae50 7 months ago
The fix bounty has been dropped
This vulnerability has now been published 7 months ago
to join this conversation