"An error occurred while trying to connecting to your bank. Please make sure that all the data you entered is correct. Original error message: Bad response with status code 0".
Send request above again with "fints_url=file:///etc/something-that-do-not-exist", you will see
"An error occurred while trying to connecting to your bank. Please make sure that all the data you entered is correct. Original error message: Failed connection to file:///etc/something-that-do-not-exist: Couldn't open file /etc/something-that-do-not-exist".
Error codes are different, and malicious attacker can use it to gain information about local file system, enumerate files and paths, bruteforce file structure. That issue appeared because you use libcurl, without proper protocol sanitizing.
The text was updated successfully, but these errors were encountered:
JC5
added
bug
Verified and replicated bugs and issues.
fixed
Bugs that are fixed (in a coming release).
labels
Aug 2, 2019
Bug description
Current version of Firefly III Version 4.7.17.3 is vulnerable to local files enumeration.
Steps to reproduce
You will be redirected to http://your-host/import/job/configuration/[token] where you can see
Send request above again with "fints_url=file:///etc/something-that-do-not-exist", you will see
The text was updated successfully, but these errors were encountered: