Open Source Point of Sale Password Change Endpoint Vulnerability in Version 3.4.1

A vulnerability in the password change endpoint of Open Source Point of Sale (OSPOS) version 3.4.1 allows users to set their account password to an empty string. This issue arises from a lack of proper server-side validation. When an authenticated user leaves the 'password' and 'repeat_password' parameters empty, the backend still processes the request successfully, resulting in the password being set to an empty string. Consequently, this disables authentication, potentially allowing unauthorized access to user or administrative accounts.

Impact

Exploiting this vulnerability removes the password for the affected account, allowing access with just the username and no password, thereby bypassing authentication entirely.

Reproduction

To reproduce this vulnerability, send a POST request to the '/home/save/1' endpoint. Leave the 'password' and 'repeat_password' parameters empty. The server will respond successfully, but the password will be changed to an empty string.

Remediation

It is recommended to implement server-side validation for password changes. This should include checks to ensure that password fields are not empty, enforce minimum length and complexity requirements, and verify that both password fields match.