OpenSourcePOS Local File Inclusion Vulnerability Leading to Remote Code Execution

A Local File Inclusion (LFI) vulnerability has been identified in OpenSourcePOS version 3.4.1, specifically within the Sales module's getInvoice() function. This vulnerability allows authenticated attackers to read arbitrary files on the web server by manipulating the Invoice Type configuration. The issue arises because user-controlled input is not properly sanitized before being used to include files. Furthermore, this LFI vulnerability can be exploited in conjunction with the application's file upload feature to achieve Remote Code Execution (RCE). By uploading a malicious image containing PHP code, an attacker can execute arbitrary commands on the server.

Impact

Exploitation of this vulnerability allows for Local File Inclusion, where an attacker can read sensitive files such as the environment configuration file. This LFI can be escalated to Remote Code Execution by including a file that executes PHP code, with the uploaded file being executed on the server.

Reproduction

To reproduce this vulnerability, log into OpenSourcePOS 3.4.1 and navigate to the Configuration section. Change the Invoice Type value to a path traversal payload that points to a sensitive file, such as the .env file. Once the payload is injected, create a new invoice which will trigger the inclusion of the specified file, demonstrating the Local File Inclusion vulnerability. To escalate this to Remote Code Execution, upload an image file with a PHP payload embedded in it using the Change Company Logo functionality. After the image is uploaded, change the Invoice Type field in the configuration to point to the uploaded image file. When the invoice is rendered, the PHP payload will be executed, confirming successful exploitation.

Remediation

It is recommended to implement input validation by restricting the Invoice Type configuration to a whitelist of predefined template names. Additionally, user-supplied input should be sanitized using functions like basename() to remove directory paths before processing. As a further security measure, disable PHP execution in the uploads directory through server configuration.