Session Fixation in fossbilling/fossbilling

Vulnerability

FOSSBilling versions prior to 0.5.1 are vulnerable to session fixation. The application did not regenerate the session identifier upon successful authentication, allowing an attacker to set a known session ID (e.g., via a URL parameter or cookie) and then trick a user into logging in with that session [2]. The fix in commit [1] introduces a Fingerprint class and regenerates the session ID after login, preventing fixation.

Exploitation

An attacker can exploit this by first creating a session on the FOSSBilling instance and obtaining its session ID. The attacker then crafts a link or uses a cross-site scripting vector (if available) to force the victim to use that session ID. When the victim logs in, the session ID remains unchanged, and the attacker can use the same session ID to access the victim's authenticated account [2]. No special network position is required beyond the ability to deliver the session ID to the victim.

Impact

Successful exploitation allows the attacker to take over the victim's authenticated session, gaining full access to the victim's account and all associated data and actions within FOSSBilling. This includes the ability to modify billing information, view sensitive data, and perform administrative actions if the victim has elevated privileges [2].

Mitigation

The vulnerability is fixed in FOSSBilling version 0.5.1, released on or around June 23, 2023 [1]. Users should upgrade to 0.5.1 or later immediately. No workarounds are available for earlier versions. The fix includes session ID regeneration upon login and additional fingerprinting to detect session hijacking attempts [1].