Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
Reported on
Oct 23rd 2021
Description
No CSRF in duplicate rule, and modifying the order of the rule group
Proof of Concept
<a href="https://demo.firefly-iii.org/rules/duplicate/1">Click Me!</a>
<a href="https://demo.firefly-iii.org/rule-groups/up/1">Click Me!</a>
<a href="https://demo.firefly-iii.org/rule-groups/down/1">Click Me!</a>
Impact
This vulnerability is capable of tricking admin users to duplicate rule and modifying order of rule groups
Permalinks selected with reference to this report: https://huntr.dev/bounties/da82f7b6-4ffc-4109-87a4-a2a790bd44e5/
Occurrences
index.twig L105L110
attackers able to duplicate any rule frontend
web.php L925L926
up/down api
EditController.php L117L126
group up backend
RuleRepository.php L76L99
attackers able to duplicate any rule backend
EditController.php L71L81
group down backend
CreateController.php L242L249
attackers able to duplicate any rule backend
RuleRepositoryInterface.php L49L60
attackers able to duplicate any rule
index.twig L48L55
up/down frontend
Lol I wanted to modify a permalink because I placed the wrong blob but you validated the report right away so nvm
Am away from computer now, will check later
And yeah, Github is confusing lol