Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

WallacePOS Multiple Vulnerabilities

Medium

Synopsis

CVE-2019-3958: /api/sales/add Sales Item Name Authenticated Persistent Cross-site Scripting

A persistent cross-site scripting vulnerability was found in the sale item name of a till transaction on the /api/sales/add endpoint. This vulnerability requires user interaction to be exploited successfully. This vulnerability can grant an attacker with normal user privileges the ability to perform any action authorized to an administrator.

This vulnerability is caused by the lack of input validation on the sales transaction name at the /api/sales/add endpoint. Unchecked input is stored in the application database on the server and subsequently sent to clients when they request information about a sale. This field also is displayed, unsanitized, in application administrator reports.

Proof of Concept
  1. Log into WallacePOS as a normal "staff" user using the application landing page at https:<your server>/.
  2. Click "Till" and then "Add". In the Name column add the following script (make sure you replace 127.0.0.1 with your server IP):
    • <script>alert("Adding joe."); $.get("https://127.0.0.1/api/users/add?data=%7B%22username%22%3A%22joe%22%2C%22pass%22%3A%22022c22c21fc47dda38e12228c1e69fbc6a9e18d9d3478927091ca4145d641862%22%2C%22admin%22%3A1%7D");</script>
  3. Add a unit price and then click "Process".
  4. Complete the sale by clicking "cash" and then "Complete".
  5. Choose "Cancel" when asked to print a receipt.
  6. Log out of the application and log back in as a WallacePOS admin user.
  7. Click "Sales", find the transaction you just added and then click "View".
  8. Notice that a JavaScript alert is displayed with the text "xss".

CVE-2019-3959: Cross-site Request Forgery

A cross-site request forgery (XSRF) vulnerability in WallacePOS 1.4.3 allows remote attackers to perform actions with the permissions of a victim user, provided the victim user has an active session and is induced to trigger the malicious request.

For instance, an attacker could convince a victim WallacePOS user into clicking a link that, when clicked, causes a new user to be added.

This vulnerability is caused because browsers automatically include session cookies when performing requests. Therefore, if the victim user is authenticated to the site, the site cannot distinguish between the forged or legitimate request sent by the victim.

Please note that this vulnerability can be combined with the cross-site scripting vulnerability to automatically perform sensitive application actions.

Proof of Concept

(Note that the IP address must be replaced with the IP of the WallacePOS instance.)

The following PoC URL will create a user named "joe" with a password of "schmoe". If this link is sent to a victim user with sufficient privileges, and it is clicked, then the user "joe" will be created.

https://127.0.0.1/api/users/add?data=%7B%22username%22%3A%22joe%22%2C%22pass%22%3A%22022c22c21fc47dda38e12228c1e69fbc6a9e18d9d3478927091ca4145d641862%22%2C%22admin%22%3A1%7D

CVE-2019-3960: Authenticated Unrestricted File Upload RCE

An unrestricted file upload vulnerability in WallacePOS allows a remote authenticated admin user to execute arbitrary PHP code on the server in the context of the web server process. The authenticated admin user can browse to https:/admin/#!possettings, select the "Browser/Email Logo" upload widget and upload any file type to the server. It is possible upload a PHP reverse shell and access the host as www-data given a default Apache2 server configuration.

Proof of Concept
  1. On your local machine, create a file named "whoami.php". Save the file with the following contents:
    • <?php echo exec('whoami'); ?>
  2. Log into WallacePOS as an administrator.
  3. Visit the "Settings" page. Then browse to "POS Settings".
  4. For the "Browser/Email Logo" choose your whoami.php file. Click "Save" at the bottom.
  5. In the browser, visit https://127.0.0.1/docs/whoami.php. (Be sure to replace the IP address accordingly.)
  6. The result will likely be 'www-data' (whatever user the web server is running as).

Solution

Apply version 1.4.3 security hot fixes. No solution currently exists for CSRF around the login, as WallacePOS pointed out.

Disclosure Timeline

05/01/2019 - Tenable asks for security contact using the web form on wallaceit.com.au/contact.
05/01/2019 - Tenable asks for security contact using admin email address from WHOIS info for wallacepos.com.
05/08/2019 - Tenable attempts to make contact for a second time. 45-day and 90-day dates are communicated as 06/17/2019 and 07/30/2019, respectively.
05/15/2019 - Tenable attempts to make contact for a third and final time.
05/15/2019 - WallacePoS indicates the preferred email address. They do not have a PGP key.
05/15/2019 - Tenable sends the vulnerability details to the preferred email.
05/22/2019 - Tenable follows up to ensure the report was received.
06/04/2019 - Tenable asks for an update.
06/04/2019 - WallacePoS states that the project is no longer actively maintained, but they will work on patching the bugs over the weekend.
06/05/2019 - Tenable thanks WallacePoS for the update.
06/06/2019 - Tenable asks whether we need to assign the CVEs.
06/07/2019 - WallacePOS says Tenable can assign CVEs. Asks "what brought this on?"
06/07/2019 - Tenable responds with assigned CVE numbers. Describes our vulnerability research policy.
06/24/2019 - Tenable asks for an update.
06/25/2019 - WallacePOS releases security hot fix for version 1.4.3. However, WallacePOS indicates that CSRF protection is not on the login form.
06/25/2019 - Tenable thanks WallacePOS for update. Asks to be notified when login CSRF protection is implemented.
07/08/2019 - Tenable asks for an update.
07/23/2019 - Tenable asks for an update.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.