Unrestricted Upload of File with Dangerous Type in firefly-iii/firefly-iii
Oct 1st 2021
Description file upload vulnerability in application Proof of Concept step to reproduce 1)login to application 2) goto https://demo.firefly-iii.org/create-from-bill/1 3) upload file any kind of file application accept Reference PoC 1) https://i.ibb.co/9wWRnsf/Screenshot-12.png 2)https://i.ibb.co/68NRd4m/Screenshot-13.png while creating new bill user is able to upload any kind of malicious file which will allows attacker to run remote code to compromise appliation. code <input multiple="multiple" helptext="Maximum file size: 64 MB" class="form-control" id="ffInput_attachments" autocomplete="off" placeholder="Attachments" name="attachments" type="file"> Solution : define file type validation in client side of the application to validate the file extension
Unclear but validated nonetheless. A mime-type validation is in place and the demo user is not allowed to upload anyway.
- The feedback to the user about a blocked upload is missing but I dont consider it a security issue
- Is the list of mime types too wide perhaps? see https://github.com/firefly-iii/firefly-iii/blob/main/config/firefly.php#L225
Let me know
i have checked was able to upload any kind of files please validate file extension in application side before submitting the request and also mime type as a second layer of protection for file upload kind of vulnerability.
The file extension is user input, I'm not going to rely on that. Mime type protection is already in place and works for me: local.ERROR: File "winrar-x64-602.exe" is of type "application/x-dosexec" which is not accepted as a new upload.
To properly validate the file MIME you need to use finfo which internally uses finfo_open
Basically you use it the following way
/** Using finfo to just get the MIME type */ $finfo = new finfo(FILEINFO_MIME_TYPE);
/** You will get extension along with the mime types */ $extension = $finfo->file($file_tmp);
Ahhhh miscommunication there, thanks. Bad code on my part. API upload uses finfo, the bill form does not. Will be fixed!
Already fixed: the UploadedFile class validates the mime type also using finfo. Did you spot any gaps?
let me check wait
CVE published! 🎊