Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#36454] - [4.1 ScheduledTasks - Security] Scheduled Tasks can be run "now" by CSRF as no token.

No Code Attached Yet
avatar PhilETaylor
PhilETaylor
27 Dec 2021

Steps to reproduce the issue

Create a scheduled task. Note its ID.

Navigate in another tab to

http://example.com/administrator/index.php?option=com_ajax&format=json&plugin=RunSchedulerTest&group=system&id=6

where 6 is the ID of your task

Expected result

Task doesn't run as a GET request should be validated by CSRF Token before running anything other than "get"ing data.

Actual result

Task is run, regardless of its not a manual task.

{
  "success": true,
  "message": null,
  "messages": null,
  "data": {
    "status": 0,
    "taskStart": 1640646415.469952,
    "netDuration": 0.0005578994750976562,
    "taskEnd": 1640646415.47051,
    "logCategory": "task6",
    "plugin": "demotasks",
    "startTime": 1640646415.469984,
    "endTime": 1640646415.470506,
    "duration": 0.0005218982696533203
  }
}

@joomla/security @ditsuke

avatar PhilETaylor PhilETaylor - open - 27 Dec 2021
avatar joomla-cms-bot joomla-cms-bot - change - 27 Dec 2021
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 27 Dec 2021
avatar PhilETaylor PhilETaylor - change - 27 Dec 2021
The description was changed
avatar PhilETaylor PhilETaylor - edited - 27 Dec 2021
avatar richard67 richard67 - change - 2 Jan 2022
Status New Closed
Closed_Date 0000-00-00 00:00:00 2022-01-02 15:04:05
Closed_By richard67
avatar richard67 richard67 - close - 2 Jan 2022
avatar richard67
richard67 - comment - 2 Jan 2022

Closing as having a pull request. Please test #36518 . Thanks in advance.

Add a Comment

Login with GitHub to post a comment