OpenSourcePOS Second-Order SQL Injection Vulnerability

A second-order SQL injection vulnerability has been identified in OpenSourcePOS version 3.4.1. The issue arises in the handling of the currency_symbol configuration field, which is stored without immediate execution but later concatenated into a dynamically constructed SQL query in the Reports module. This concatenation occurs without proper sanitization or parameter binding, allowing an attacker with permission to modify the currency_symbol value to inject arbitrary SQL expressions. These injected SQL commands are executed when the affected query is processed, potentially leading to unauthorized data access or manipulation.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, which could be used to extract sensitive information from the database or manipulate database contents. The vulnerability could be exploited using time-based blind injection techniques, with the injected SQL commands executed when the Reports module generates the 'Summary Discounts' report.

Reproduction

To reproduce this vulnerability, log in to OpenSourcePOS 3.4.1 with an account that has permission to change the application's configuration. Navigate to the 'Configuration' section and then to 'Localization'. Inject a SQL payload into the 'Currency Symbol' field, bypassing frontend validation. Once the payload is stored, access the 'Summary Discounts' report in the Reports module. The injected SQL will be executed, and if a time-based payload is used, the response time will be noticeably delayed, indicating successful exploitation.

Remediation

To address this vulnerability, update the code to use CodeIgniter's Query Builder parameter binding or escaping functions for all configuration variables used in SQL queries. Implement strict server-side validation for the 'currency_symbol' field to allow only expected characters.