Cross-Site Request Forgery (CSRF) in phoronix-test-suite/phoronix-test-suite

Valid

Reported on

Jan 12th 2022

Description

Hi there, I would like to report another CSRF in phoronix

Proof of Concept

  1. Install a local instance of phoronix
  2. Create a benchmark and note down benchmark id
  3. Access the link /?benchmark/<benchmark-id>/&repeat, /?benchmark/<benchmark-id>/&disable and /?benchmark/<benchmark-id>/&remove and see that the benchmark is repeated, disabled and removed.

Impact

This vulnerability is capable of CSRF.

We are processing your report and will contact the phoronix-test-suite team within 24 hours. a year ago
We have contacted a member of the phoronix-test-suite team and are waiting to hear back a year ago
phoronix-test-suite/phoronix-test-suite maintainer validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
phoronix-test-suite/phoronix-test-suite maintainer marked this as fixed in 10.8.0 with commit 5755b3 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
phoromatic_benchmark.php#L110 has been validated
to join this conversation