Executive Summary

This vulnerability in FOSSBilling versions prior to 0.8.0 causes the exact system version to be leaked through asset cache buster parameters embedded in the HTML output. Specifically, the version number is included in the query strings of every <script> and <link> tag generated by Twig filters, regardless of the `hide_version_public` security setting.

This means that unauthenticated visitors can see the exact FOSSBilling version on every page, which undermines the intended protection of hiding the version number from the public. Although the HTTP header and API endpoint correctly respect the setting, the asset URLs do not, making it easier for attackers to identify the version and potentially exploit known vulnerabilities.

The issue was patched in version 0.8.0. There is no practical workaround without modifying the source code.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows attackers to easily determine the exact version of FOSSBilling you are running by viewing the version embedded in asset URLs. This facilitates reconnaissance by making it simpler for malicious actors to identify known vulnerabilities specific to that version.

While this exposure does not directly compromise confidentiality, integrity, or availability, it lowers the barrier for attackers to craft targeted exploits against your installation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting the HTML output of your FOSSBilling installation for the presence of the exact system version embedded in the query strings of <script> and <link> tags. Specifically, look for asset cache buster parameters that include the version number, which should not be visible if the hide_version_public setting is working correctly.

Since the version is exposed in the query strings of asset URLs, you can use network inspection tools or command-line utilities to fetch and analyze the HTML content of pages served by your FOSSBilling system.

• Use curl or wget to retrieve the HTML of a page and grep for version patterns in script or link tags, for example:
• curl -s http://your-fossbilling-site/ | grep -E '<script[^>]+src=["'][^"']*\?v=[0-9.]+'
• curl -s http://your-fossbilling-site/ | grep -E '<link[^>]+href=["'][^"']*\?v=[0-9.]+'

If the version number appears in these query strings, it indicates the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation step is to upgrade your FOSSBilling installation to version 0.8.0 or later, where this issue has been patched.

There is no practical workaround to remove the version from asset URLs without modifying the source code, so upgrading is the most effective immediate action.

Before upgrading, review the release notes for version 0.8.0, back up your installation, and ensure your environment meets the new requirements such as PHP 8.3 or newer.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability leaks the exact system version of FOSSBilling through asset cache buster parameters in HTML output, which is visible to unauthenticated visitors. While it exposes information that could facilitate targeted attacks, it does not directly impact confidentiality, integrity, or availability of data.

Because the vulnerability involves exposure of system version information rather than personal or sensitive user data, it does not directly violate compliance requirements of standards like GDPR or HIPAA. However, by making it easier for attackers to identify vulnerabilities, it could indirectly increase risk to protected data if exploited.

Organizations relying on FOSSBilling should consider this exposure as a potential security risk that may affect their overall security posture, but the vulnerability itself is not a direct compliance failure under common data protection regulations.

Useful 0 Not Useful 0