Open Source Point of Sale SQL Injection Vulnerability in Item Search Functionality

A SQL injection vulnerability has been identified in Open Source Point of Sale (OSPOS) versions through 3.4.2. The issue arises in the Items search feature when the custom attribute search option is activated. User-supplied input from the search GET parameter is directly inserted into a HAVING clause without proper sanitization or parameterization. This vulnerability allows authenticated attackers with basic item search rights to execute arbitrary SQL queries.

Impact

Exploitation of this vulnerability could lead to unauthorized database access, allowing attackers to extract sensitive information such as user credentials, personal customer data, and financial records. Additionally, there is a risk of modifying data through crafted SQL queries and causing a denial-of-service by executing heavy database operations. Furthermore, extracted admin password hashes could be cracked offline to gain full control of the application.

Reproduction

To reproduce this vulnerability, an authenticated user with basic item search permissions can use the Items search feature with the custom attribute search option enabled. By crafting a search query that exploits the lack of parameterization in the HAVING clause, arbitrary SQL commands can be executed. For example, a query could be designed to extract admin password hashes from the database, which would be returned in the server's response.

Remediation

The vulnerability can be addressed by replacing the vulnerable string interpolation in the SQL query with parameterized queries. Additionally, applying a full special characters filter to the search parameter can enhance security.