Lucene search
Ktg95ABB7915-32F4-4FB1-AFA7-BB6D8C4C5AD2HistoryJan 10, 2022 - 3:59 a.m.
Cross-Site Request Forgery (CSRF) in phoronix-test-suite/phoronix-test-suite
2022-01-1003:59:26
ktg9
www.huntr.dev
10
csrf
phoronix test suite
web security
EPSS
0.002
Percentile
59.5%
Description
Hi there, I would like to report a Cross Site Request Forgery in phoronix source code. Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.
Proof of Concept
- Install a local instance of phoronix test suite
- Create a schedule, note down the schedule id
- Access this link
/?schedules/<schedule-id>/deactivateand see that the schedule is deactivated - Access this link
/?schedules/<schedule-id>/activateand see that the schedule is activated. - In real attack scenarios, the hacker would send the 2 above links to the victim and when they clicks it, their schedules are activated/deactivated without their consent.
Impact
This vulnerability is capable of CSRF.
References
Related
cve
cve
CVE-2022-0197
2022-01-13 01:15:08
cvelist
cvelist
prion
prion
Cross site request forgery (csrf)
2022-01-13 01:15:00
ubuntucve
ubuntucve
CVE-2022-0197
2022-01-13 00:00:00
osv
osv
CVE-2022-0197
2022-01-13 01:15:08
nvd
nvd
CVE-2022-0197
2022-01-13 01:15:08
openvas
openvas
Fedora: Security Advisory for phoronix-test-suite (FEDORA-2022-43f11039b2)
2022-02-10 00:00:00
Mageia: Security Advisory (MGASA-2022-0067)
2022-02-18 00:00:00
Fedora: Security Advisory for phoronix-test-suite (FEDORA-2022-8f968eea82)
2022-02-10 00:00:00
fedora
fedora
[SECURITY] Fedora 34 Update: phoronix-test-suite-10.8.1-1.fc34
2022-02-10 01:16:34
[SECURITY] Fedora 35 Update: phoronix-test-suite-10.8.1-1.fc35
2022-02-10 01:32:18
mageia
mageia
Updated phoronix-test-suite packages fix security vulnerability
2022-02-18 03:14:24