Description

FOSSBilling suffers from a lack of sanitization in the handling of admin input values. This issue manifests when clients attempt to generate invoices for their orders. Specifically, in the PDF generation of invoices, the company name, editable through the admin portal, is included. An attacker with administrative access could exploit this vulnerability by inserting a malicious link within the company name field. Consequently, this alteration would impact every client, potentially leading to an open redirect vulnerability.

Proof of Concept

<a href="https://evil.com">CLick here</a>

Steps:

1. Log in to the application utilizing the administrator credentials.
2. Access the URL: http://172.17.0.2/admin/extension/settings/system.
3. Modify the company name to “<a href=“https://evil.com”>Click here</a>” and save the changes.
4. Now, Proceed to log in as any client.
5. Place an order for a specific domain.
6. Navigate to the invoice section and click on the PDF option.
7. Observe that the previously injected malicious HTML code is rendered within the PDF document.

>This sequence of actions reveals a critical vulnerability in the application, whereby an attacker with administrative privileges can exploit the lack of input sanitization. By injecting a malicious link into the company name field, the compromised HTML code propagates throughout the software, affecting all clients. Consequently, when generating invoices in PDF format, the malicious HTML code is rendered, potentially leading to various security risks and exposing users to the attacker’s intended actions.