Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
Jun 2nd 2021
/export/export endpoint does not have CSRF Protection. This could be used to force download account data and potentially spoof users.
🕵️♂️ Proof of Concept
- Login to user account.
- Create the following file and open the page in browser.
// PoC.html <html> <body> To verify that you are a human, upload the file that has been downloaded from our website now. <a href="https://demo.firefly-iii.org/export/export">Download Test File</a> </body> </html>
- This downloads user's data from the application without user's permission. An attacker can then spoof the user to upload this file into an attacker controlled server.
Potential private information leakage through phishing by exploiting missing CSRF token.