Unrestricted Upload of File with Dangerous Type in boxbilling/boxbilling

Vulnerability

BoxBilling prior to version 0.0.1 (or prior to commit b670599) contained an unrestricted file upload vulnerability in its file manager component. The file manager allowed authenticated users to upload files without proper validation of file type, enabling upload of PHP scripts or other dangerous files. The component was later removed as obsolete and non-functional [1].

Exploitation

An attacker with authenticated access to the BoxBilling admin panel could upload a malicious PHP file through the file manager interface. The uploaded file would be stored on the server and could be accessed directly, leading to remote code execution. No additional privileges beyond standard admin access are required.

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code on the server, leading to full compromise of the BoxBilling installation and potentially the underlying server. This can result in data theft, defacement, or further lateral movement.

Mitigation

The vulnerable file manager component was removed in commit b670599 [1]. Users should update to a version that includes this commit or later. As of the publication date, no official patch release was issued; the removal of the component is the recommended fix. The vulnerability was reported via Huntr [3].