Code Injection in fossbilling/fossbilling

Vulnerability

A code injection vulnerability exists in FOSSBilling versions prior to 0.5.1, specifically in the Twig template processing. The application incorrectly allowed the use of unsafe Twig functions such as autolink, img_tag, script_tag, and stylesheet_tag that could call arbitrary PHP functions. This bypasses the intended Twig sandbox restrictions, enabling injection of malicious templates. [1][2]

Exploitation

An attacker with the ability to control or influence Twig template content (e.g., through admin panel or user-provided templates) can craft a template containing calls to unsafe functions. For example, using the script_tag filter with a crafted argument can lead to execution of arbitrary PHP code. No special network position is required beyond application access. [1][2]

Impact

Successful exploitation results in arbitrary code execution on the server, leading to full compromise of confidentiality, integrity, and availability. The attacker can execute system commands, read/write files, and escalate privileges within the application context. [1][2]

Mitigation

The vulnerability is fixed in FOSSBilling version 0.5.1, released on June 22, 2023. Users should upgrade immediately. No workarounds are documented; if upgrade is not possible, restrict access to template editing functionality. [1][2]