Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

Valid

Reported on

Oct 23rd 2021


Description

No CSRF in duplicate rule, and modifying the order of the rule group

Proof of Concept

<a href="https://demo.firefly-iii.org/rules/duplicate/1">Click Me!</a>
<a href="https://demo.firefly-iii.org/rule-groups/up/1">Click Me!</a>
<a href="https://demo.firefly-iii.org/rule-groups/down/1">Click Me!</a>

Impact

This vulnerability is capable of tricking admin users to duplicate rule and modifying order of rule groups

Permalinks selected with reference to this report: https://huntr.dev/bounties/da82f7b6-4ffc-4109-87a4-a2a790bd44e5/

Occurences

attackers able to duplicate any rule frontend

up/down api

attackers able to duplicate any rule backend

group down backend

attackers able to duplicate any rule backend

attackers able to duplicate any rule

up/down frontend

We have contacted a member of the firefly-iii team and are waiting to hear back a month ago
haxatron modified their report
a month ago
haxatron modified their report
a month ago
James Cole validated this vulnerability a month ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
haxatron
a month ago

Researcher


Lol I wanted to modify a permalink because I placed the wrong blob but you validated the report right away so nvm

James Cole
a month ago

Maintainer


Should be fixed, nice find. See the demo site.

James Cole
a month ago

Maintainer


Yeah I almost knew without looking ^^

James Cole confirmed that a fix has been merged on c2c8c4 a month ago
James Cole has been awarded the fix bounty
index.twig#L105L110 has been validated
EditController.php#L117L126 has been validated
web.php#L925L926 has been validated
RuleRepository.php#L76L99 has been validated
EditController.php#L71L81 has been validated
index.twig#L48L55 has been validated
haxatron
a month ago

Researcher


Am away from computer now, will check later

And yeah, Github is confusing lol

Jamie Slome
a month ago

Admin


CVE published! 🎊