CVE-2023-3568: Fossbilling is Vulnerable to HTML Injection During the Generation of Invoices, Which Leads To An Open Redirect Vulnerability. in fossbilling

Description

FOSSBilling suffers from a lack of sanitization in the handling of admin input values. This issue manifests when clients attempt to generate invoices for their orders. Specifically, in the PDF generation of invoices, the company name, editable through the admin portal, is included. An attacker with administrative access could exploit this vulnerability by inserting a malicious link within the company name field. Consequently, this alteration would impact every client, potentially leading to an open redirect vulnerability.

Proof of Concept

<a href=https://evil.com>CLick here</a>

Steps:

1. Log in to the application utilizing the administrator credentials.
2. Access the URL: http://172.17.0.2/admin/extension/settings/system.
3. Modify the company name to “<a href=https://evil.com>Click here</a>” and save the changes.
4. Now, Proceed to log in as any client.
5. Place an order for a specific domain.
6. Navigate to the invoice section and click on the PDF option.
7. Observe that the previously injected malicious HTML code is rendered within the PDF document.

This sequence of actions reveals a critical vulnerability in the application, whereby an attacker with administrative privileges can exploit the lack of input sanitization. By injecting a malicious link into the company name field, the compromised HTML code propagates throughout the software, affecting all clients. Consequently, when generating invoices in PDF format, the malicious HTML code is rendered, potentially leading to various security risks and exposing users to the attacker’s intended actions.

Impact

1. Malware Distribution: The attacker may utilize the injected HTML code to deliver malicious payloads or initiate drive-by downloads. This can result in the installation of malware on the client’s system, leading to potential data breaches, system compromise, or further propagation of malware within the network.
2. Brand Reputation Damage: If customers or clients receive invoices containing the injected HTML code, it can erode trust and damage the reputation of the affected organization. Such incidents may lead to financial losses, loss of business opportunities, and a negative impact on customer loyalty.
3. Open Redirect Vulnerability: The bug also introduces an open redirect vulnerability, enabling the attacker to redirect users to arbitrary external websites. This can be exploited to conduct phishing attacks, deliver malware, or trick users into unknowingly visiting malicious pages that exploit additional vulnerabilities.
4. Phishing Attacks: The injected HTML code can contain phishing links, redirecting users to malicious websites that mimic legitimate ones. This can trick unsuspecting users into providing their login credentials, personal information, or financial details, thereby facilitating identity theft, fraud, or further exploitation.

Occurrences

Service.php L156

the ‘name’ parameter does not have any mitigation for HTML tags