Cross-Site Request Forgery (CSRF) in phoronix-test-suite/phoronix-test-suite

Valid

Reported on

Jan 10th 2022


Description

Hi there, I would like to report a Cross Site Request Forgery in phoronix source code. Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

Proof of Concept

  1. Install a local instance of phoronix test suite
  2. Create a schedule, note down the schedule id
  3. Access this link /?schedules/<schedule-id>/deactivate and see that the schedule is deactivated
  4. Access this link /?schedules/<schedule-id>/activate and see that the schedule is activated.
  5. In real attack scenarios, the hacker would send the 2 above links to the victim and when they clicks it, their schedules are activated/deactivated without their consent.

Impact

This vulnerability is capable of CSRF.

We are processing your report and will contact the phoronix-test-suite team within 24 hours. 18 days ago
We have contacted a member of the phoronix-test-suite team and are waiting to hear back 17 days ago
phoronix-test-suite/phoronix-test-suite maintainer validated this vulnerability 17 days ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
phoronix-test-suite/phoronix-test-suite maintainer confirmed that a fix has been merged on 4f1829 17 days ago
The fix bounty has been dropped