External Control of File Name or Path in opensourcepos/opensourcepos
Reported on
Aug 26th 2021
✍️ Description
The giftcards/view/ POST request can be hijacked so that the information will be sent to another page, by modifying the login page URL.
🕵️♂️ Proof of Concept
Change the login page URL to
https://mydomain.com/giftcards/view/anotherpagehere
Then the form action in the webpage will be changed to
<form action="https://mydomain.com/giftcards/save/anotherpagehere" id="giftcard_form" class="form-horizontal" method="post" accept-charset="utf-8">
💥 Impact
Form action hijacking vulnerabilities arise when an application places user-supplied input into the action URL of an HTML form. An attacker can use this vulnerability to construct a URL that, if visited by another application user, will modify the action URL of a form to point to another page. If a user submits the form then its contents, including any input from the victim user, will be POSTed to the new page hijacking the existing page.
References
Hey Melbin, I've just emailed the repo maintainer about this report.
How is this vulnerability alone harmful? The attacker will need to have access to the filesystem to catch the POST request within this other page, no? So this vuln alone isn't really that harmful?
I think the server will just throw an error as it won't be able to update anything for the last part of the url( which is the object reference in the db which does not exist).
The form will remain on the same domain. I don't think this issue is really the vulnerability described in the explanation.