Privilege Escalation Vulnerability in Product Upgrade Module in fossbilling/fossbilling
Jun 9th 2023
Our product upgrade module contained a privilege escalation vulnerability that would allow an unauthorized user to upgrade to a product they were not authorized to.
After an administrator had Product 1 can upgrde as Product2 , but not Product3, a user could use Burpsuite to intercept the request and change the Product 2 ID to another product ID (Product 3), resulting in an unauthorized product upgrade.
Proof of Concept
1 An administrator configure that Product 1 can upgrade as Product2, but not Product2 .
2 The user upgrades Product 1 as Product2 and intercepts the request using Burpsuite.
3 The user modifies the Product 2 ID to Product 3 ID in the intercepted request, and the upgrade is successful.
This vulnerability could potentially enable an attacker to gain access to products that they are not supposed to have access to, leading to data leakage, financial losses, and other harmful consequences.