FreeScout Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in FreeScout versions prior to 1.8.178. The issue arises from inadequate validation of user input in the php_path parameter, allowing users to inject backtick-encased code that is executed on the server. This vulnerability can be exploited by administrators who create specific translation files, which then can be used to execute arbitrary code via the tools.php interface.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where FreeScout is hosted, with the executed code running in the context of the web application. This could lead to unauthorized access to local files, modification of application data, and potentially escalating privileges on the server.

Reproduction

To reproduce this vulnerability, an administrator must first create a translation that includes backtick characters and is designed to be interpreted as a command. Once the translation is saved, the php_path parameter can be set to the path of the created translation folder, including the injected command. When the tools.php script is executed with this payload, the code within the backticks is executed on the server.

Remediation

Users are advised to update FreeScout to version 1.8.178 or later, where this vulnerability has been patched.