We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

SQL injection in searchArticles function in fossbilling/fossbilling

Valid

Reported on

Jun 29th 2023

Description

The searchArticles function in the KB module makes a call to the getSimpleResultSet function, with the per_page parameter taken from the user without sanitizing before entering the query, leading to the attacker being able to manipulate the query.

Proof of Concept

GET /admin/kb?CSRFToken=4632faf87f0cd5fb8b324915263a01fa&_url=%2Fadmin%2Fkb&search=123&per_page=123' HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Referer: http://localhost/admin/kb
Cookie: PHPSESSID=1nkrr4p8ikra2g2sov3fubp273

PoC Image

Impact

SQL injection

We are processing your report and will contact the fossbilling team within 24 hours. 3 months ago
Nhien.IT modified the report
3 months ago
fossbilling/fossbilling maintainer has acknowledged this report 3 months ago
Belle Aerni
3 months ago

Maintainer

Your POC appears to be a completely normal request and your image isn't loading

Nhien.IT modified the report
3 months ago
Nhien.IT
3 months ago

Researcher

Sorry, i just update PoC Image. My PoC Video: https://drive.google.com/file/d/1DQwx5vEGlBkuxeLH3HoC7PwjxGGFsbjW/view?usp=sharing

Belle Aerni modified the Severity from Medium (6.5) to Critical (9.8) 3 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Belle Aerni validated this vulnerability 3 months ago

This has been validated, however it goes deeper than your post originally states as there are both client and guest API endpoints that will pass the provided limit to the pagination function and that it can be used to delete entire tables, meaning exploitation requires zero permissions and can result in a complete loss of access.

The severity has been updated to a 9.8 to reflect this and this pull request enforces the correct type (an int) on the pagination functions: https://github.com/FOSSBilling/FOSSBilling/pull/1392

Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Belle Aerni marked this as fixed in 0.5.3 with commit 2ddb74 3 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jul 1st 2023
Pagination.php#L70 has been validated
Pagination.php#L46 has been validated
Belle Aerni published this vulnerability 3 months ago
Belle Aerni gave praise 3 months ago
Thanks for finding this, it's a pretty big issue so I'm glad it was discovered and resolved
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation