SQL injection in searchArticles function in fossbilling/fossbilling

Valid

Reported on

Jun 29th 2023


Description

The searchArticles function in the KB module makes a call to the getSimpleResultSet function, with the per_page parameter taken from the user without sanitizing before entering the query, leading to the attacker being able to manipulate the query.

Proof of Concept

GET /admin/kb?CSRFToken=4632faf87f0cd5fb8b324915263a01fa&_url=%2Fadmin%2Fkb&search=123&per_page=123' HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Referer: http://localhost/admin/kb
Cookie: PHPSESSID=1nkrr4p8ikra2g2sov3fubp273


PoC Image

Impact

SQL injection

We are processing your report and will contact the fossbilling team within 24 hours. 8 months ago
Nhien.IT modified the report
8 months ago
fossbilling/fossbilling maintainer has acknowledged this report 8 months ago
Belle Aerni
8 months ago

Your POC appears to be a completely normal request and your image isn't loading

Nhien.IT modified the report
8 months ago
Nhien.IT
8 months ago

Researcher


Belle Aerni modified the Severity from Medium (6.5) to Critical (9.8) 8 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Belle Aerni validated this vulnerability 8 months ago

This has been validated, however it goes deeper than your post originally states as there are both client and guest API endpoints that will pass the provided limit to the pagination function and that it can be used to delete entire tables, meaning exploitation requires zero permissions and can result in a complete loss of access.

The severity has been updated to a 9.8 to reflect this and this pull request enforces the correct type (an int) on the pagination functions: https://github.com/FOSSBilling/FOSSBilling/pull/1392

nhienit2010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Belle Aerni marked this as fixed in 0.5.3 with commit 2ddb74 8 months ago
The fix bounty has been dropped
Pagination.php#L70 has been validated
Pagination.php#L46 has been validated
This vulnerability has now been published 8 months ago
Belle Aerni gave praise 8 months ago
Thanks for finding this, it's a pretty big issue so I'm glad it was discovered and resolved
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation