FOSSBilling Version Exposure Vulnerability via Asset Cache Buster Parameters

A vulnerability in FOSSBilling, a billing and client management system, allows the exact system version to be leaked through asset cache buster parameters in the HTML output. This issue affects FOSSBilling versions through 0.7.2 and bypasses the 'hide_version_public' security setting. The version information is embedded in the query string of every '<script>' and '<link>' tag generated by the 'script_tag' and 'stylesheet_tag' Twig filters. As a result, all visitors, including unauthenticated guests, can see the version on every page, regardless of the 'hide_version_public' setting. While the 'X-FOSSBilling-Version' HTTP header and the 'guest.system.version' API endpoint respect the 'hide_version_public' setting, the asset cache buster parameters do not. This version exposure facilitates reconnaissance and makes it easier for malicious actors to identify and exploit known vulnerabilities in a given FOSSBilling installation.

Impact

Exposing the FOSSBilling version through asset cache buster parameters undermines the 'hide_version_public' security setting, making it easier for attackers to identify and exploit known vulnerabilities in the application.

Remediation

Users should upgrade to FOSSBilling version 0.8.0, which addresses this vulnerability. The update can be downloaded from the FOSSBilling GitHub Releases page.