Cross-Site Request Forgery (CSRF) in phoronix-test-suite/phoronix-test-suite

Valid

Reported on

Jan 12th 2022

Description

Hi there, I would like to report another CSRF in phoronix

Proof of Concept

  1. Install a local instance of phoronix
  2. Create a benchmark and note down benchmark id
  3. Access the link /?benchmark/<benchmark-id>/&repeat, /?benchmark/<benchmark-id>/&disable and /?benchmark/<benchmark-id>/&remove and see that the benchmark is repeated, disabled and removed.

Impact

This vulnerability is capable of CSRF.

We are processing your report and will contact the phoronix-test-suite team within 24 hours. 4 months ago
We have contacted a member of the phoronix-test-suite team and are waiting to hear back 4 months ago
phoronix-test-suite/phoronix-test-suite maintainer validated this vulnerability 4 months ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
phoronix-test-suite/phoronix-test-suite maintainer confirmed that a fix has been merged on 5755b3 4 months ago
The fix bounty has been dropped
phoromatic_benchmark.php#L110 has been validated
to join this conversation