Cross site Request Forgery in running schedule by using GET method. in autolab/autolab


Reported on

May 11th 2022


There is a CRSF in autolab source code in running scheduler due to usage of GET method.

Proof of Concept

  1. Install a local instance of autolab
  2. Go to /courses/<course-name>/schedulers and create a schedule
  3. Access the link courses/<course-name>/schedulers/<scheduler-id>/run and see that the schedulers is running


Forcefully make the user to run schedulers.


We are processing your report and will contact the autolab team within 24 hours. 13 days ago
We have contacted a member of the autolab team and are waiting to hear back 12 days ago
Joey Wildman validated this vulnerability 12 days ago

We have verified this issue and are working on a fix.

justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Damian Ho confirmed that a fix has been merged on af5eb6 10 days ago
Damian Ho has been awarded the fix bounty
routes.rb#L75 has been validated
to join this conversation