FreshRSS Privilege Escalation Vulnerability via HTTP Authentication Headers

A vulnerability in FreshRSS versions prior to 1.26.2 allows for privilege escalation when the server uses HTTP authentication through a reverse proxy. By sending specially crafted requests via the 'add feed' functionality and scraping the CSRF token with XPath, an attacker can impersonate any user using the 'Remote-User' or 'X-WebAuth-User' headers. This exploitation requires knowledge of the FreshRSS instance's IP address and the admin's username, as well as an existing account on the platform. The vulnerability can also be used to gain unauthorized access to internal services. Users who have configured OpenID Connect are not susceptible to the privilege escalation aspect of this vulnerability.

Impact

Exploitation of this vulnerability can lead to unauthorized access to internal services and privilege escalation on the FreshRSS instance.

Reproduction

To reproduce this vulnerability, first ensure that the FreshRSS instance is behind a reverse proxy that passes the 'Remote-User' or 'X-WebAuth-User' headers. The FreshRSS instance must be configured to trust the proxy by including its IP address in the 'TRUSTED_PROXY' environment variable. Once this is set up, obtain the CSRF token by scraping the 'add feed' functionality with XPath. After acquiring the token, send a request to promote a user by using the token to impersonate an admin user.

Remediation

Users can update to FreshRSS version 1.26.2 or later, where this vulnerability has been patched.