Cross Site Request Forgery in Release all grades feature in autolab/autolab

Valid

Reported on

Apr 24th 2022

Description

Hi there, there is a Cross site request Forgery in your Release all grades feature. This is due to the release all grades action is using GET request method. Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Proof of Concept

Install autolab and log in as admin
Access the link /courses/<course-name>/assessments/<assessment-name>/releaseAllGrades
See that all grade are released

Impact

CSRF

Occurrences

routes.rb L143

We are processing your report and will contact the autolab team within 24 hours. a year ago

We have contacted a member of the autolab team and are waiting to hear back a year ago

A autolab/autolab maintainer

commented a year ago

Maintainer

We have seen your report and are able to reproduce the behavior that can cause the CSRF. We are working on a fix and will get back on we have it ready to go!

We have sent a follow up to the autolab team. We will try again in 7 days. a year ago

A autolab/autolab maintainer modified the Severity from Critical (9.3) to High (8.2) a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

A autolab/autolab maintainer validated this vulnerability a year ago

justinp09010 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Joey Wildman marked this as fixed in 2.8.0 with commit a5fa31 a year ago

Joey Wildman has been awarded the fix bounty

This vulnerability will not receive a CVE

routes.rb#L143 has been validated

Joey Wildman

commented a year ago

Maintainer

CSRF vulnerability fixed by changing request type from GET to POST and adding rails CSRF protection via protect_from_forgery: https://github.com/autolab/Autolab/pull/1512

to join this conversation

We are processing your report and will contact the autolab team within 24 hours. a year ago

We have contacted a member of the autolab team and are waiting to hear back a year ago

A autolab/autolab maintainer

commented a year ago

Maintainer

We have seen your report and are able to reproduce the behavior that can cause the CSRF. We are working on a fix and will get back on we have it ready to go!

We have sent a follow up to the autolab team. We will try again in 7 days. a year ago

A autolab/autolab maintainer modified the Severity from Critical (9.3) to High (8.2) a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

A autolab/autolab maintainer validated this vulnerability a year ago

justinp09010 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Joey Wildman marked this as fixed in 2.8.0 with commit a5fa31 a year ago

Joey Wildman has been awarded the fix bounty

This vulnerability will not receive a CVE

routes.rb#L143 has been validated

Joey Wildman

commented a year ago

Maintainer

CSRF vulnerability fixed by changing request type from GET to POST and adding rails CSRF protection via protect_from_forgery: https://github.com/autolab/Autolab/pull/1512

to join this conversation