Unrestricted Upload of File with Dangerous Type in fossbilling/fossbilling

Vulnerability

FOSSBilling versions prior to 0.5.3 contain an unrestricted file upload vulnerability in the theme management functionality. The application does not properly validate or restrict the types of files that can be uploaded as a theme, allowing an attacker to upload files with dangerous extensions such as PHP. This issue was resolved in commit 2ddb7438ee0d05f9a9d01555edcfed820960f114 [1].

Exploitation

An attacker needs administrative access to the FOSSBilling instance, specifically the ability to upload themes. The attacker crafts a malicious PHP file disguised as a theme component and uploads it through the theme upload feature. The application accepts the file without sufficient sanitization, and the uploaded file is placed in a web-accessible directory.

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code on the server, leading to full compromise of the application and potentially the underlying server. This can result in unauthorized access to sensitive data, modification of application functionality, and further lateral movement within the hosting environment.

Mitigation

Upgrade to FOSSBilling version 0.5.3 or later, which includes the fix that disables the upload theme functionality and applies stricter input validation [1]. No workaround is available for earlier versions. The vulnerability was reported via the Huntr bug bounty platform [2].