Cross Site Request Forgery in Release all grades feature in autolab/autolab

Valid

Reported on

Apr 24th 2022


Description

Hi there, there is a Cross site request Forgery in your Release all grades feature. This is due to the release all grades action is using GET request method. Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Proof of Concept

  1. Install autolab and log in as admin
  2. Access the link /courses/<course-name>/assessments/<assessment-name>/releaseAllGrades
  3. See that all grade are released

Impact

CSRF

Occurrences

We are processing your report and will contact the autolab team within 24 hours. a month ago
We have contacted a member of the autolab team and are waiting to hear back a month ago
autolab/autolab maintainer
a month ago

Maintainer


We have seen your report and are able to reproduce the behavior that can cause the CSRF. We are working on a fix and will get back on we have it ready to go!

We have sent a follow up to the autolab team. We will try again in 7 days. a month ago
autolab/autolab maintainer modified the Severity from Critical (9.3) to High (8.2) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
autolab/autolab maintainer validated this vulnerability a month ago
justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joey Wildman confirmed that a fix has been merged on a5fa31 24 days ago
Joey Wildman has been awarded the fix bounty
routes.rb#L143 has been validated
Joey Wildman
24 days ago

Maintainer


CSRF vulnerability fixed by changing request type from GET to POST and adding rails CSRF protection via protect_from_forgery: https://github.com/autolab/Autolab/pull/1512

to join this conversation