Horizon Alert
Summary of the vulnerability and why it matters
A vulnerability exists in FOSSBilling, an open-source billing and client management system, which allows an unauthenticated attacker to bypass payment processing. This bypass can be achieved by sending a specially crafted HTTP request, enabling the attacker to mark unpaid invoices as paid and credit client accounts without actual payment when the Custom payment adapter is enabled. The primary concern is confirming whether this specific payment adapter is in use and assessing potential exposure.
- Unauthenticated attackers can mark invoices as paid.
- Critical for financial systems; confirm relevance and exposure.
- Protect revenue; audit payment adapters and network access.
Attack Path
How an attacker could exploit the issue
An attacker could exploit this vulnerability by sending a specially crafted HTTP request to the IPN callback endpoint of FOSSBilling, provided the Custom payment adapter is enabled. This allows them to bypass actual payment processing and mark invoices as paid, crediting client accounts without a transaction.
- Unauthenticated network access required.
- Triggered via IPN callback endpoint.
- Enables unauthorized invoice payment.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability in FOSSBilling's payment processing could allow an unauthenticated attacker to bypass payment obligations. When the Custom payment adapter is enabled, a specially crafted HTTP request to the IPN callback endpoint may enable an attacker to mark any unpaid invoice as paid and credit the associated client account without any actual payment being made.
- Unpaid invoices and client accounts.
- Sending a crafted HTTP request.
- Unpaid services may be rendered freely.
Operational Fix
Recommended remediation, mitigation, and detection steps
The FOSSBilling billing system's IPN callback endpoint has a critical vulnerability that allows unauthenticated attackers to bypass payment validation. Infrastructure and security teams are most likely responsible for addressing this. The first practical step is to identify all FOSSBilling instances, confirm their exposure to the internet, and assess the criticality of any instances using the Custom payment adapter before planning remediation.
- Own the issue through Infrastructure or Security.
- Verify Custom payment adapter reachability.
- Plan remediation based on exposure risk.