Serious Security Vulnerability Discovered in Promotion in fossbilling/fossbilling
Reported on
Jun 9th 2023
Description
I am writing to report a serious security vulnerability that we have uncovered. Specifically, we have found that promotions applied to certain client groups are still being honored even after the promotions are no longer applicable to those groups.
This means that attackers can potentially gain access to discounted products that should not be available to them, leading to revenue loss and jeopardizing the trust of your customers.
Proof of Concept
1 Log in to the website with administrator privileges
2 Navigate to the promotions section and identify a promotion that is applicable to a specific user group
4 Intercept the request in Burp Suite for any user within that group who orders the applicable product
5 Remove the group association for the Promotion
6 Continue intercepting the requests for any user within that group who orders the applicable product
Thank you for your attention to this matter. Please feel free to contact me if you have any additional questions.
Impact
As a responsible security researcher, I strongly urge you to investigate this issue and take immediate action to address it. This could include revoking access to the promotions for all users, modifying the code to correctly enforce the promotion restrictions, or implementing additional security measures to prevent unauthorized access.
POC : https://drive.google.com/file/d/1KZ_GjmhnAK_A1zQraQUQWHW0Bgd-nVzE/view?usp=sharing
I've been able to validate this report and I've submitted a pull request to resolve it: https://github.com/FOSSBilling/FOSSBilling/pull/1316