External Control of File Name or Path in opensourcepos/opensourcepos

Valid

Reported on

Aug 26th 2021


✍️ Description

The giftcards/view/ POST request can be hijacked so that the information will be sent to another page, by modifying the login page URL.

🕵️‍♂️ Proof of Concept

Change the login page URL to

https://mydomain.com/giftcards/view/anotherpagehere

Then the form action in the webpage will be changed to

<form action="https://mydomain.com/giftcards/save/anotherpagehere" id="giftcard_form" class="form-horizontal" method="post" accept-charset="utf-8">

💥 Impact

Form action hijacking vulnerabilities arise when an application places user-supplied input into the action URL of an HTML form. An attacker can use this vulnerability to construct a URL that, if visited by another application user, will modify the action URL of a form to point to another page. If a user submits the form then its contents, including any input from the victim user, will be POSTed to the new page hijacking the existing page.

Z-Old
9 months ago

Admin


Hey Melbin, I've just emailed the repo maintainer about this report.

We have contacted a member of the opensourcepos team and are waiting to hear back 9 months ago
jekkos validated this vulnerability 9 months ago
Melbin Mathew Antony has been awarded the disclosure bounty
The fix bounty is now up for grabs
jekkos
9 months ago

Maintainer


How is this vulnerability alone harmful? The attacker will need to have access to the filesystem to catch the POST request within this other page, no? So this vuln alone isn't really that harmful?

jekkos
9 months ago

Maintainer


I think the server will just throw an error as it won't be able to update anything for the last part of the url( which is the object reference in the db which does not exist).

jekkos
a month ago

Maintainer


The form will remain on the same domain. I don't think this issue is really the vulnerability described in the explanation.

jekkos confirmed that a fix has been merged on 9331d8 a month ago
jekkos has been awarded the fix bounty
to join this conversation