Cross site Request Forgery in running schedule by using GET method. in autolab/autolab
May 11th 2022
There is a CRSF in autolab source code in running scheduler due to usage of GET method.
Proof of Concept
- Install a local instance of autolab
- Go to
/courses/<course-name>/schedulersand create a schedule
- Access the link
courses/<course-name>/schedulers/<scheduler-id>/runand see that the schedulers is running
Forcefully make the user to run schedulers.