Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

WallacePOS Multiple Vulnerabilities

Medium

Synopsis

CVE-2019-3958: /api/sales/add Sales Item Name Authenticated Persistent Cross-site Scripting

A persistent cross-site scripting vulnerability was found in the sale item name of a till transaction on the /api/sales/add endpoint. This vulnerability requires user interaction to be exploited successfully. This vulnerability can grant an attacker with normal user privileges the ability to perform any action authorized to an administrator.

This vulnerability is caused by the lack of input validation on the sales transaction name at the /api/sales/add endpoint. Unchecked input is stored in the application database on the server and subsequently sent to clients when they request information about a sale. This field also is displayed, unsanitized, in application administrator reports.

Proof of Concept
  1. Log into WallacePOS as a normal "staff" user using the application landing page at https:<your server>/.
  2. Click "Till" and then "Add". In the Name column add the following script (make sure you replace 127.0.0.1 with your server IP):
    • <script>alert("Adding joe."); $.get("https://127.0.0.1/api/users/add?data=%7B%22username%22%3A%22joe%22%2C%22pass%22%3A%22022c22c21fc47dda38e12228c1e69fbc6a9e18d9d3478927091ca4145d641862%22%2C%22admin%22%3A1%7D");</script>
  3. Add a unit price and then click "Process".
  4. Complete the sale by clicking "cash" and then "Complete".
  5. Choose "Cancel" when asked to print a receipt.
  6. Log out of the application and log back in as a WallacePOS admin user.
  7. Click "Sales", find the transaction you just added and then click "View".
  8. Notice that a JavaScript alert is displayed with the text "xss".

CVE-2019-3959: Cross-site Request Forgery

A cross-site request forgery (XSRF) vulnerability in WallacePOS 1.4.3 allows remote attackers to perform actions with the permissions of a victim user, provided the victim user has an active session and is induced to trigger the malicious request.

For instance, an attacker could convince a victim WallacePOS user into clicking a link that, when clicked, causes a new user to be added.

This vulnerability is caused because browsers automatically include session cookies when performing requests. Therefore, if the victim user is authenticated to the site, the site cannot distinguish between the forged or legitimate request sent by the victim.

Please note that this vulnerability can be combined with the cross-site scripting vulnerability to automatically perform sensitive application actions.

Proof of Concept

(Note that the IP address must be replaced with the IP of the WallacePOS instance.)

The following PoC URL will create a user named "joe" with a password of "schmoe". If this link is sent to a victim user with sufficient privileges, and it is clicked, then the user "joe" will be created.

https://127.0.0.1/api/users/add?data=%7B%22username%22%3A%22joe%22%2C%22pass%22%3A%22022c22c21fc47dda38e12228c1e69fbc6a9e18d9d3478927091ca4145d641862%22%2C%22admin%22%3A1%7D

CVE-2019-3960: Authenticated Unrestricted File Upload RCE

An unrestricted file upload vulnerability in WallacePOS allows a remote authenticated admin user to execute arbitrary PHP code on the server in the context of the web server process. The authenticated admin user can browse to https:/admin/#!possettings, select the "Browser/Email Logo" upload widget and upload any file type to the server. It is possible upload a PHP reverse shell and access the host as www-data given a default Apache2 server configuration.

Proof of Concept
  1. On your local machine, create a file named "whoami.php". Save the file with the following contents:
    • <?php echo exec('whoami'); ?>
  2. Log into WallacePOS as an administrator.
  3. Visit the "Settings" page. Then browse to "POS Settings".
  4. For the "Browser/Email Logo" choose your whoami.php file. Click "Save" at the bottom.
  5. In the browser, visit https://127.0.0.1/docs/whoami.php. (Be sure to replace the IP address accordingly.)
  6. The result will likely be 'www-data' (whatever user the web server is running as).

Solution

Apply version 1.4.3 security hot fixes. No solution currently exists for CSRF around the login, as WallacePOS pointed out.

Disclosure Timeline

05/01/2019 - Tenable asks for security contact using the web form on wallaceit.com.au/contact.
05/01/2019 - Tenable asks for security contact using admin email address from WHOIS info for wallacepos.com.
05/08/2019 - Tenable attempts to make contact for a second time. 45-day and 90-day dates are communicated as 06/17/2019 and 07/30/2019, respectively.
05/15/2019 - Tenable attempts to make contact for a third and final time.
05/15/2019 - WallacePoS indicates the preferred email address. They do not have a PGP key.
05/15/2019 - Tenable sends the vulnerability details to the preferred email.
05/22/2019 - Tenable follows up to ensure the report was received.
06/04/2019 - Tenable asks for an update.
06/04/2019 - WallacePoS states that the project is no longer actively maintained, but they will work on patching the bugs over the weekend.
06/05/2019 - Tenable thanks WallacePoS for the update.
06/06/2019 - Tenable asks whether we need to assign the CVEs.
06/07/2019 - WallacePOS says Tenable can assign CVEs. Asks "what brought this on?"
06/07/2019 - Tenable responds with assigned CVE numbers. Describes our vulnerability research policy.
06/24/2019 - Tenable asks for an update.
06/25/2019 - WallacePOS releases security hot fix for version 1.4.3. However, WallacePOS indicates that CSRF protection is not on the login form.
06/25/2019 - Tenable thanks WallacePOS for update. Asks to be notified when login CSRF protection is implemented.
07/08/2019 - Tenable asks for an update.
07/23/2019 - Tenable asks for an update.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2019-37
Credit:
Tom Pearson
CVSSv2 Base / Temporal Score:
6.8 / 5.3
CVSSv2 Vector:
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Affected Products:
WallacePOS 1.4.3
Risk Factor:
Medium

Advisory Timeline

07/30/2019 - Initial advisory release