Business Logic Errors in fossbilling/fossbilling

Vulnerability

The business logic in FOSSBilling versions prior to 0.5.0 fails to validate whether products added to the cart are enabled before processing an order. The createFromCart method in the order service does not check the product's status field, allowing users to add disabled or invalid products to their cart and complete a purchase [1]. This affects all versions before 0.5.0.

Exploitation

An attacker can exploit this vulnerability by adding a disabled product to their shopping cart and proceeding through the checkout process. No special authentication or elevated privileges are required beyond being a registered user with the ability to add items to a cart. The attacker simply needs to identify a disabled product and complete the order flow [2].

Impact

Successful exploitation allows an attacker to purchase products that the administrator has disabled or made unavailable. This can result in unauthorized access to restricted services, violation of business rules, and potential financial loss or misallocation of resources. The attacker gains the ability to obtain products or services that should not be available for purchase [2].

Mitigation

The vulnerability is fixed in FOSSBilling version 0.5.0, released in June 2023. The fix adds a check in createFromCart that verifies each product's existence and status, throwing an exception if the product is not enabled [1]. Users should upgrade to version 0.5.0 or later. No workarounds are documented for older versions; upgrading is the recommended action.