External Control of File Name or Path in opensourcepos/opensourcepos


Reported on

Aug 26th 2021

✍️ Description

The giftcards/view/ POST request can be hijacked so that the information will be sent to another page, by modifying the login page URL.

🕵️‍♂️ Proof of Concept

Change the login page URL to


Then the form action in the webpage will be changed to

<form action="https://mydomain.com/giftcards/save/anotherpagehere" id="giftcard_form" class="form-horizontal" method="post" accept-charset="utf-8">

💥 Impact

Form action hijacking vulnerabilities arise when an application places user-supplied input into the action URL of an HTML form. An attacker can use this vulnerability to construct a URL that, if visited by another application user, will modify the action URL of a form to point to another page. If a user submits the form then its contents, including any input from the victim user, will be POSTed to the new page hijacking the existing page.

2 years ago


Hey Melbin, I've just emailed the repo maintainer about this report.

We have contacted a member of the opensourcepos team and are waiting to hear back 2 years ago
jekkos validated this vulnerability 2 years ago
Melbin Mathew Antony has been awarded the disclosure bounty
The fix bounty is now up for grabs
2 years ago

How is this vulnerability alone harmful? The attacker will need to have access to the filesystem to catch the POST request within this other page, no? So this vuln alone isn't really that harmful?

2 years ago

I think the server will just throw an error as it won't be able to update anything for the last part of the url( which is the object reference in the db which does not exist).

a year ago

The form will remain on the same domain. I don't think this issue is really the vulnerability described in the explanation.

jekkos marked this as fixed in 3.3.7 with commit 9331d8 a year ago
jekkos has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation