Business Logic Errors in crater-invoice/crater

Valid

Reported on

Jan 27th 2022

Description

It is found that comapny currency can not be changed since the field is disabled as shown in the screenshot but it can be changed by tampering the parameter.

Proof of Concept

Actual Request


POST /api/v1/company/settings HTTP/1.1
Host: demo.craterapp.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
company: 1
Content-Type: application/json;charset=utf-8
X-XSRF-TOKEN: 
Content-Length: 3344
Origin: https://demo.craterapp.com
Connection: close
Referer: https://demo.craterapp.com/admin/settings/preferences
Cookie: 
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{"settings":{"invoice_auto_generate":"YES","payment_auto_generate":"YES","estimate_auto_generate":"YES","save_pdf_to_disk":"NO","invoice_mail_body":"You have received a new invoice from <b>{COMPANY_NAME}</b>.</br> Please download using the button below:","estimate_mail_body":"You have received a new estimate from <b>{COMPANY_NAME}</b>.</br> Please download using the button below:","payment_mail_body":"Thank you for the payment.</b></br> Please download your payment receipt using the button below:","invoice_company_address_format":"<h3><strong>{COMPANY_NAME}</strong></h3><p>{COMPANY_ADDRESS_STREET_1}</p><p>{COMPANY_ADDRESS_STREET_2}</p><p>{COMPANY_CITY} {COMPANY_STATE}</p><p>{COMPANY_COUNTRY}  {COMPANY_ZIP_CODE}</p><p>{COMPANY_PHONE}</p>","invoice_shipping_address_format":"<h3>{SHIPPING_ADDRESS_NAME}</h3><p>{SHIPPING_ADDRESS_STREET_1}</p><p>{SHIPPING_ADDRESS_STREET_2}</p><p>{SHIPPING_CITY}  {SHIPPING_STATE}</p><p>{SHIPPING_COUNTRY}  {SHIPPING_ZIP_CODE}</p><p>{SHIPPING_PHONE}</p>","invoice_billing_address_format":"<h3>{BILLING_ADDRESS_NAME}</h3><p>{BILLING_ADDRESS_STREET_1}</p><p>{BILLING_ADDRESS_STREET_2}</p><p>{BILLING_CITY}  {BILLING_STATE}</p><p>{BILLING_COUNTRY}  {BILLING_ZIP_CODE}</p><p>{BILLING_PHONE}</p>","estimate_company_address_format":"<h3><strong>{COMPANY_NAME}</strong></h3><p>{COMPANY_ADDRESS_STREET_1}</p><p>{COMPANY_ADDRESS_STREET_2}</p><p>{COMPANY_CITY} {COMPANY_STATE}</p><p>{COMPANY_COUNTRY}  {COMPANY_ZIP_CODE}</p><p>{COMPANY_PHONE}</p>","estimate_shipping_address_format":"<h3>{SHIPPING_ADDRESS_NAME}</h3><p>{SHIPPING_ADDRESS_STREET_1}</p><p>{SHIPPING_ADDRESS_STREET_2}</p><p>{SHIPPING_CITY}  {SHIPPING_STATE}</p><p>{SHIPPING_COUNTRY}  {SHIPPING_ZIP_CODE}</p><p>{SHIPPING_PHONE}</p>","estimate_billing_address_format":"<h3>{BILLING_ADDRESS_NAME}</h3><p>{BILLING_ADDRESS_STREET_1}</p><p>{BILLING_ADDRESS_STREET_2}</p><p>{BILLING_CITY}  {BILLING_STATE}</p><p>{BILLING_COUNTRY}  {BILLING_ZIP_CODE}</p><p>{BILLING_PHONE}</p>","payment_company_address_format":"<h3><strong>{COMPANY_NAME}</strong></h3><p>{COMPANY_ADDRESS_STREET_1}</p><p>{COMPANY_ADDRESS_STREET_2}</p><p>{COMPANY_CITY} {COMPANY_STATE}</p><p>{COMPANY_COUNTRY}  {COMPANY_ZIP_CODE}</p><p>{COMPANY_PHONE}</p>","payment_from_customer_address_format":"<h3>{BILLING_ADDRESS_NAME}</h3><p>{BILLING_ADDRESS_STREET_1}</p><p>{BILLING_ADDRESS_STREET_2}</p><p>{BILLING_CITY} {BILLING_STATE} {BILLING_ZIP_CODE}</p><p>{BILLING_COUNTRY}</p><p>{BILLING_PHONE}</p>","**currency":"1**","time_zone":"UTC","language":"en","fiscal_year":"2-1","carbon_date_format":"Y/m/d","moment_date_format":"YYYY/MM/DD","notification_email":"noreply@noreply@craterapp.com","notify_invoice_viewed":"NO","notify_estimate_viewed":"NO","tax_per_item":"NO","discount_per_item":"NO","invoice_email_attachment":"NO","estimate_email_attachment":"NO","payment_email_attachment":"NO","retrospective_edits":"allow","invoice_number_format":"{{SERIES:INV}}{{DELIMITER:-}}{{SEQUENCE:6}}","estimate_number_format":"{{SERIES:EST}}{{DELIMITER:-}}{{SEQUENCE:6}}","payment_number_format":"{{SERIES:PAY}}{{DELIMITER:-}}{{SEQUENCE:6}}","estimate_set_expiry_date_automatically":"YES","estimate_expiry_date_days":"7","invoice_set_due_date_automatically":"YES","invoice_due_date_days":"7","bulk_exchange_rate_configured":"YES","estimate_convert_action":"no_action","automatically_expire_public_links":"YES"}}

In the above request you can see that currency value is set as 1 which is US dollar which can not be changed as per the screenshot. But changing the value to 2, currency gets changed.

alt text

Impact

Since different currency have different value, it might affect the company financially.

We are processing your report and will contact the crater-invoice/crater team within 24 hours. a year ago
We have contacted a member of the crater-invoice/crater team and are waiting to hear back a year ago
Mohit Panjwani
a year ago

Hey, Thanks for the report but I don't think this is a major issue because only the owner of the company / super admin can access this endpoint.

shubh123-tri
a year ago

Researcher

But it has already been in a disabled state and should not be allowed to change in either case

We have sent a follow up to the crater-invoice/crater team. We will try again in 7 days. a year ago
We have sent a second follow up to the crater-invoice/crater team. We will try again in 10 days. a year ago
Mohit Panjwani validated this vulnerability a year ago
shubh123-tri has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the crater-invoice/crater team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the crater-invoice/crater team. We will try again in 10 days. a year ago
We have sent a third and final fix follow up to the crater-invoice/crater team. This report is now considered stale. a year ago
Mohit Panjwani marked this as fixed in 6.0.5 with commit fadef0 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation