FOSSBilling Open Redirect Vulnerability in Redirect Module

An open redirect vulnerability has been identified in FOSSBilling versions through 0.7.2. The issue arises in the Redirect module, which fails to validate the URL scheme of destination URLs configured by administrators. This lack of validation allows arbitrary external URLs to be set as redirect targets, enabling phishing attacks. When a user follows a legitimate FOSSBilling URL, they can be silently redirected to an attacker-controlled site. The redirect is issued as a 301 (Moved Permanently) response, which browsers cache persistently, amplifying the impact. Exploitation requires administrator privileges to create or modify redirect entries, limiting practical attack scenarios to multi-admin environments or compromised admin accounts.

Impact

Exploitation of this vulnerability allows for open redirects, where users can be sent to external sites controlled by an attacker, potentially leading to phishing attacks.

Reproduction

To reproduce this vulnerability, an administrator must create or modify a redirect entry in the FOSSBilling Redirect module prior to version 0.8.0. The administrator can input any external URL as the redirect target, which will be accepted without validation. Once the redirect is saved, users following a FOSSBilling URL will be redirected to the specified external site. This redirect will be a 301 response, which browsers will cache, increasing the vulnerability's impact.

Remediation

Users should upgrade to FOSSBilling version 0.8.0 or later, restrict admin access to the Redirect module to trusted administrators, and audit existing redirect entries in the database for any unexpected or external target URLs.