FreeScout CRLF Injection Vulnerability Allowing .env File Manipulation

A vulnerability in FreeScout prior to version 1.8.178 allows for CRLF injection due to insufficient validation of user-supplied data. This flaw enables an authenticated user with admin rights to inject special characters into strings, which can then be used to manipulate environment variables in the application's .env file. Exploitation of this vulnerability could lead to unauthorized changes in application settings or the interception of sensitive information, such as license keys for paid add-ons.

Impact

Exploitation of this vulnerability could result in unauthorized modifications to the application's .env file, allowing attackers to change critical configuration settings, such as enabling debugging or intercepting license keys for paid add-ons via a controlled proxy.

Reproduction

To reproduce this vulnerability, an authenticated user with admin rights can send a POST request to the '/app-settings' endpoint. The request must include injected strings containing special characters (such as carriage return, newline, or tab) in specific settings parameters. This injection takes advantage of the application's lack of proper input validation, allowing the user to manipulate environment variables that would typically be restricted.

Remediation

Users are advised to update FreeScout to version 1.8.178 or later, where this vulnerability has been patched.