Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

Valid

Reported on

Jun 2nd 2021


✍️ Description

The /export/export endpoint does not have CSRF Protection. This could be used to force download account data and potentially spoof users.

🕵️‍♂️ Proof of Concept

  • Login to user account.
  • Create the following file and open the page in browser.
// PoC.html
<html>
<body>
        To verify that you are a human, upload the file that has been downloaded from our website now.
        <a href="https://demo.firefly-iii.org/export/export">Download Test File</a>
</body>
</html>
  • This downloads user's data from the application without user's permission. An attacker can then spoof the user to upload this file into an attacker controlled server.

💥 Impact

Potential private information leakage through phishing by exploiting missing CSRF token.

Jamie Slome
a year ago

Admin


I have contacted the maintainer privately via e-mail and we will await a response from them.

James Cole validated this vulnerability a year ago
Oomb has been awarded the disclosure bounty
The fix bounty is now up for grabs
James Cole
a year ago

Maintainer


Valid issue. Thanks again. I have pushed a commit that should fix this. I would appreciate if somebody verifies it works, then I can release 5.5.12 to fix it (with proper credits in the changelog etc)

https://github.com/firefly-iii/firefly-iii/commit/a54f152a34125d7b97c5cdfed35adb3fed695600

Jamie Slome
a year ago

Admin


No worries James.

@oomb, can you please check the patch?

Oomb
a year ago

Researcher


James, The fix looks good to me. I think you can proceed with release. Thank you for your quick response.

James Cole confirmed that a fix has been merged on 530332 a year ago
has been awarded the fix bounty
Z-Old
a year ago

Admin


Awesome!

to join this conversation