ury-erp ury SQL Injection Vulnerability in POS Module

A critical SQL injection vulnerability exists in the URY Restaurant Management System, specifically in versions up to 0.2.0. The issue is located in the POS module's API endpoint 'overrided_past_order_list', within the file 'ury/ury/api/pos_extend.py'. This vulnerability allows low-privileged or unauthenticated attackers to manipulate the 'search_term' parameter, bypass input sanitization, and execute arbitrary SQL queries on the backend MariaDB database. Exploitation could lead to unauthorized data access, data modification, or a complete database compromise.

Impact

Exploitation of this vulnerability allows attackers to access and manipulate database information, including bypassing application access controls and altering or deleting data. Additionally, extracted data could include sensitive information such as customer details and financial records.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/method/ury.ury.api.pos_extend.overrided_past_order_list' endpoint. Include a crafted 'search_term' that exploits the SQL injection vulnerability, such as a payload that manipulates the SQL query execution. The request should also include a valid session token in the cookies to authenticate the request.

Remediation

Upgrade to URY version 0.2.1, which addresses the SQL injection vulnerability by implementing input validation and using parameterized queries to safely handle user-supplied data. The patched version is available on the URY GitHub repository.