Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

WallacePOS Multiple Vulnerabilities

Medium

Synopsis

CVE-2019-3958: /api/sales/add Sales Item Name Authenticated Persistent Cross-site Scripting

A persistent cross-site scripting vulnerability was found in the sale item name of a till transaction on the /api/sales/add endpoint. This vulnerability requires user interaction to be exploited successfully. This vulnerability can grant an attacker with normal user privileges the ability to perform any action authorized to an administrator.

This vulnerability is caused by the lack of input validation on the sales transaction name at the /api/sales/add endpoint. Unchecked input is stored in the application database on the server and subsequently sent to clients when they request information about a sale. This field also is displayed, unsanitized, in application administrator reports.

Proof of Concept
  1. Log into WallacePOS as a normal "staff" user using the application landing page at https:<your server>/.
  2. Click "Till" and then "Add". In the Name column add the following script (make sure you replace 127.0.0.1 with your server IP):
    • <script>alert("Adding joe."); $.get("https://127.0.0.1/api/users/add?data=%7B%22username%22%3A%22joe%22%2C%22pass%22%3A%22022c22c21fc47dda38e12228c1e69fbc6a9e18d9d3478927091ca4145d641862%22%2C%22admin%22%3A1%7D");</script>
  3. Add a unit price and then click "Process".
  4. Complete the sale by clicking "cash" and then "Complete".
  5. Choose "Cancel" when asked to print a receipt.
  6. Log out of the application and log back in as a WallacePOS admin user.
  7. Click "Sales", find the transaction you just added and then click "View".
  8. Notice that a JavaScript alert is displayed with the text "xss".

CVE-2019-3959: Cross-site Request Forgery

A cross-site request forgery (XSRF) vulnerability in WallacePOS 1.4.3 allows remote attackers to perform actions with the permissions of a victim user, provided the victim user has an active session and is induced to trigger the malicious request.

For instance, an attacker could convince a victim WallacePOS user into clicking a link that, when clicked, causes a new user to be added.

This vulnerability is caused because browsers automatically include session cookies when performing requests. Therefore, if the victim user is authenticated to the site, the site cannot distinguish between the forged or legitimate request sent by the victim.

Please note that this vulnerability can be combined with the cross-site scripting vulnerability to automatically perform sensitive application actions.

Proof of Concept

(Note that the IP address must be replaced with the IP of the WallacePOS instance.)

The following PoC URL will create a user named "joe" with a password of "schmoe". If this link is sent to a victim user with sufficient privileges, and it is clicked, then the user "joe" will be created.

https://127.0.0.1/api/users/add?data=%7B%22username%22%3A%22joe%22%2C%22pass%22%3A%22022c22c21fc47dda38e12228c1e69fbc6a9e18d9d3478927091ca4145d641862%22%2C%22admin%22%3A1%7D

CVE-2019-3960: Authenticated Unrestricted File Upload RCE

An unrestricted file upload vulnerability in WallacePOS allows a remote authenticated admin user to execute arbitrary PHP code on the server in the context of the web server process. The authenticated admin user can browse to https:/admin/#!possettings, select the "Browser/Email Logo" upload widget and upload any file type to the server. It is possible upload a PHP reverse shell and access the host as www-data given a default Apache2 server configuration.

Proof of Concept
  1. On your local machine, create a file named "whoami.php". Save the file with the following contents:
    • <?php echo exec('whoami'); ?>
  2. Log into WallacePOS as an administrator.
  3. Visit the "Settings" page. Then browse to "POS Settings".
  4. For the "Browser/Email Logo" choose your whoami.php file. Click "Save" at the bottom.
  5. In the browser, visit https://127.0.0.1/docs/whoami.php. (Be sure to replace the IP address accordingly.)
  6. The result will likely be 'www-data' (whatever user the web server is running as).

Solution

Apply version 1.4.3 security hot fixes. No solution currently exists for CSRF around the login, as WallacePOS pointed out.

Disclosure Timeline

05/01/2019 - Tenable asks for security contact using the web form on wallaceit.com.au/contact.
05/01/2019 - Tenable asks for security contact using admin email address from WHOIS info for wallacepos.com.
05/08/2019 - Tenable attempts to make contact for a second time. 45-day and 90-day dates are communicated as 06/17/2019 and 07/30/2019, respectively.
05/15/2019 - Tenable attempts to make contact for a third and final time.
05/15/2019 - WallacePoS indicates the preferred email address. They do not have a PGP key.
05/15/2019 - Tenable sends the vulnerability details to the preferred email.
05/22/2019 - Tenable follows up to ensure the report was received.
06/04/2019 - Tenable asks for an update.
06/04/2019 - WallacePoS states that the project is no longer actively maintained, but they will work on patching the bugs over the weekend.
06/05/2019 - Tenable thanks WallacePoS for the update.
06/06/2019 - Tenable asks whether we need to assign the CVEs.
06/07/2019 - WallacePOS says Tenable can assign CVEs. Asks "what brought this on?"
06/07/2019 - Tenable responds with assigned CVE numbers. Describes our vulnerability research policy.
06/24/2019 - Tenable asks for an update.
06/25/2019 - WallacePOS releases security hot fix for version 1.4.3. However, WallacePOS indicates that CSRF protection is not on the login form.
06/25/2019 - Tenable thanks WallacePOS for update. Asks to be notified when login CSRF protection is implemented.
07/08/2019 - Tenable asks for an update.
07/23/2019 - Tenable asks for an update.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2019-37
Credit:
Tom Pearson
CVSSv2 Base / Temporal Score:
6.8 / 5.3
CVSSv2 Vector:
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Affected Products:
WallacePOS 1.4.3
Risk Factor:
Medium

Advisory Timeline

07/30/2019 - Initial advisory release

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training