Business Logic Errors in fossbilling/fossbilling

Vulnerability

In FOSSBilling versions prior to 0.5.0, a business logic vulnerability exists in the add_item method of the cart functionality. The code did not validate whether addon products selected by the user are actually valid for the associated product. An attacker could manipulate the addons array in the request data to include addon IDs that are not associated with the product, bypassing the intended restriction that only valid addons should be selectable [1][2].

Exploitation

An attacker with the ability to add items to the cart (e.g., any authenticated or unauthenticated user depending on the application configuration) can craft a request to the cart endpoint with a product ID and an arbitrary addon ID in the addons parameter. The attacker sets selected to true for the invalid addon. Before the patch, the code would not check whether the addon ID exists in the product's valid addons list, allowing the attacker to add any addon to the cart [1][2].

Impact

Successful exploitation allows the attacker to add addon products to the cart that are not intended to be available for the selected product. This could lead to unauthorized purchase of addons, potentially causing financial loss or unintended service provision. The integrity of the ordering process is compromised [1][2].

Mitigation

The vulnerability has been fixed in FOSSBilling version 0.5.0, released with the commit b65a75fcf70feaf547d414672f78d7cbe8a98e7e [1]. Users should upgrade to version 0.5.0 or later to mitigate this issue. No workarounds are provided in the available references [1][2].