Cross-Site Request Forgery (CSRF) in phoronix-test-suite/phoronix-test-suite
Valid
Reported on
Jan 12th 2022
Description
Hi there, I would like to report another CSRF in phoronix
Proof of Concept
- Install a local instance of phoronix
- Create a benchmark and note down benchmark id
- Access the link
/?benchmark/<benchmark-id>/&repeat
,/?benchmark/<benchmark-id>/&disable
and/?benchmark/<benchmark-id>/&remove
and see that the benchmark is repeated, disabled and removed.
Impact
This vulnerability is capable of CSRF.
Occurrences
We are processing your report and will contact the
phoronix-test-suite
team within 24 hours.
4 months ago
We have contacted a member of the
phoronix-test-suite
team and are waiting to hear back
4 months ago
A phoronix-test-suite/phoronix-test-suite maintainer
confirmed that a fix has been merged on 5755b3
4 months ago
The fix bounty has been dropped
phoromatic_benchmark.php#L110
has been validated
to join this conversation