Yesterday, 08:10 AM
Hello FOSSBilling community,
I'm experiencing an attack (after an abusive free user harassed us
) where unauthorized emails are being added to the `mod_email_queue` table, and I suspect there may be a vulnerability in FOSSBilling's email queue handling.
Issue Summary:
- Hundreds of identical payment reminder emails are being queued to the email address linked to a FOSSBilling client user & invoice
- These emails are appearing in the database with status 'unsent' and incrementing IDs
- With cron jobs, these emails are sent in batch with extremely high volume
- The emails reference an already suspended client_id but are being triggered repeatedly by the cron jobs (before I purged the `mod_email_queue` table)
Database Dump from the `mod_email_queue` table:
(3115, '[REDACTED_SPAMMER_EMAIL]', '[REDACTED_FOSSBILLING_SUPPORT_EMAIL]', '[[MY_FOSSBILLING_DOMAIN].org] Payment Reminder', ...),
(3116, '[REDACTED_SPAMMER_EMAIL]', '[REDACTED_FOSSBILLING_SUPPORT_EMAIL]', '[[MY_FOSSBILLING_DOMAIN].org] Payment Reminder', ...),
(3117, '[REDACTED_SPAMMER_EMAIL]', '[REDACTED_FOSSBILLING_SUPPORT_EMAIL]', '[[MY_FOSSBILLING_DOMAIN].org] Payment Reminder', ...),
-- Continues with thousands of incrementing IDs
All entries:
- Have `status: 'unsent'` and getting queued when cron job runs
- Reference the same invoice, same user
Unlikely:
- Direct database compromise (no other tables affected, no admin accounts created)
- Server-level compromise (no unauthorized file access)
- Compromised admin panel (no suspicious FB login activity)
Current Theory:
I suspect there may be an unauthenticated API endpoint or a flaw in the email queue system that allows external parties to inject predefined (hopefully not arbitrary) system emails into the queue.
My Setup:
- FOSSBilling version: 0.7.2
- PHP version: 8.4.8
- MySQL version: 8.0.44
Security dashboard at /admin/security:
- All checks passed
I've cleared the malicious queue entries and am monitoring for new insertions, but I need to identify and patch the root cause.
Has anyone else experienced this? Is this a known issue, and if so, what's the recommended fix?
Any guidance would be greatly appreciated.
I'm experiencing an attack (after an abusive free user harassed us
) where unauthorized emails are being added to the `mod_email_queue` table, and I suspect there may be a vulnerability in FOSSBilling's email queue handling.Issue Summary:
- Hundreds of identical payment reminder emails are being queued to the email address linked to a FOSSBilling client user & invoice
- These emails are appearing in the database with status 'unsent' and incrementing IDs
- With cron jobs, these emails are sent in batch with extremely high volume
- The emails reference an already suspended client_id but are being triggered repeatedly by the cron jobs (before I purged the `mod_email_queue` table)
Database Dump from the `mod_email_queue` table:
(3115, '[REDACTED_SPAMMER_EMAIL]', '[REDACTED_FOSSBILLING_SUPPORT_EMAIL]', '[[MY_FOSSBILLING_DOMAIN].org] Payment Reminder', ...),
(3116, '[REDACTED_SPAMMER_EMAIL]', '[REDACTED_FOSSBILLING_SUPPORT_EMAIL]', '[[MY_FOSSBILLING_DOMAIN].org] Payment Reminder', ...),
(3117, '[REDACTED_SPAMMER_EMAIL]', '[REDACTED_FOSSBILLING_SUPPORT_EMAIL]', '[[MY_FOSSBILLING_DOMAIN].org] Payment Reminder', ...),
-- Continues with thousands of incrementing IDs
All entries:
- Have `status: 'unsent'` and getting queued when cron job runs
- Reference the same invoice, same user
Unlikely:
- Direct database compromise (no other tables affected, no admin accounts created)
- Server-level compromise (no unauthorized file access)
- Compromised admin panel (no suspicious FB login activity)
Current Theory:
I suspect there may be an unauthenticated API endpoint or a flaw in the email queue system that allows external parties to inject predefined (hopefully not arbitrary) system emails into the queue.
My Setup:
- FOSSBilling version: 0.7.2
- PHP version: 8.4.8
- MySQL version: 8.0.44
Security dashboard at /admin/security:
- All checks passed
I've cleared the malicious queue entries and am monitoring for new insertions, but I need to identify and patch the root cause.
Has anyone else experienced this? Is this a known issue, and if so, what's the recommended fix?
Any guidance would be greatly appreciated.