Cross-Site Request Forgery (CSRF) in phoronix-test-suite/phoronix-test-suite


Reported on

Jan 10th 2022


Hi there, I would like to report a Cross Site Request Forgery in phoronix source code. Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

Proof of Concept

  1. Install a local instance of phoronix test suite
  2. Create a schedule, note down the schedule id
  3. Access this link /?schedules/<schedule-id>/deactivate and see that the schedule is deactivated
  4. Access this link /?schedules/<schedule-id>/activate and see that the schedule is activated.
  5. In real attack scenarios, the hacker would send the 2 above links to the victim and when they clicks it, their schedules are activated/deactivated without their consent.


This vulnerability is capable of CSRF.

We are processing your report and will contact the phoronix-test-suite team within 24 hours. a year ago
We have contacted a member of the phoronix-test-suite team and are waiting to hear back a year ago
phoronix-test-suite/phoronix-test-suite maintainer validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
phoronix-test-suite/phoronix-test-suite maintainer marked this as fixed in 10.8 with commit 4f1829 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation