CVE-2021-3846
📋 TL;DR
CVE-2021-3846 is an unrestricted file upload vulnerability in Firefly III personal finance software that allows attackers to upload dangerous file types. This could lead to remote code execution or server compromise. All Firefly III users with affected versions are vulnerable.
💻 Affected Systems
- Firefly III
📦 What is this software?
Firefly Iii by Firefly Iii
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete server compromise, data theft, and lateral movement within the network.
Likely Case
File upload leading to web shell deployment, allowing attackers to execute arbitrary commands on the server.
If Mitigated
If proper file type validation and upload restrictions are in place, impact is limited to potential denial of service through resource exhaustion.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. Public proof-of-concept exists in the huntr.dev bounty report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.6.2 and later
Vendor Advisory: https://github.com/firefly-iii/firefly-iii/commit/a85b6420c19ace35134f896e094e1971d8c7954b
Restart Required: Yes
Instructions:
1. Backup your Firefly III database and configuration. 2. Update to Firefly III version 5.6.2 or later. 3. Restart the web server/service. 4. Verify the fix by checking the version and testing file upload functionality.
🔧 Temporary Workarounds
Disable file uploads
allTemporarily disable all file upload functionality in Firefly III
Modify Firefly III configuration to disable import/export features
Web server file type restrictions
linuxConfigure web server to block dangerous file extensions
For Apache: Add 'Deny from all' for .php, .phtml, .phar extensions in .htaccess
For Nginx: Add location block to deny dangerous file types
🧯 If You Can't Patch
- Implement strict file type validation at the application level
- Restrict upload directory permissions and disable script execution in upload directories
🔍 How to Verify
Check if Vulnerable:
Check Firefly III version. If version is below 5.6.2, the system is vulnerable.Check Version:
Check the .env file or Firefly III web interface for version informationVerify Fix Applied:
After updating to 5.6.2 or later, attempt to upload a file with dangerous extension (e.g., .php). The upload should be rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with dangerous extensions
- Multiple failed upload attempts
- Successful uploads of executable files
Network Indicators:
- POST requests to upload endpoints with suspicious file types
- Subsequent requests to uploaded files with executable extensions
SIEM Query:
source="firefly-iii" AND (event="file_upload" AND file_extension IN ("php", "phtml", "phar", "exe"))🔗 References
- https://github.com/firefly-iii/firefly-iii/commit/a85b6420c19ace35134f896e094e1971d8c7954b
- https://huntr.dev/bounties/5267ec1c-d204-40d2-bd4f-6c2dd495ee18
- https://github.com/firefly-iii/firefly-iii/commit/a85b6420c19ace35134f896e094e1971d8c7954b
- https://huntr.dev/bounties/5267ec1c-d204-40d2-bd4f-6c2dd495ee18
