FreeScout Avatar Upload Vulnerability Leading to .htaccess Deletion

A vulnerability in FreeScout prior to version 1.8.180 allows authorized users with administrative privileges or the User::PERM_EDIT_USERS privilege to manipulate user avatar uploads. Exploiting this flaw involves uploading an avatar with a path that includes '../.htaccess', followed by deleting the avatar, which inadvertently removes the .htaccess file from the /storage/app/public directory. This issue arises from improper enforcement of workflow actions, enabling users to bypass necessary steps and access functionalities that should be restricted.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of the .htaccess file, potentially disrupting the application's file handling and access control mechanisms.

Reproduction

To reproduce this vulnerability, an authorized user with administrative rights or the User::PERM_EDIT_USERS privilege can create a new user through the '/users/wizard' endpoint. During the user creation process, the 'photo_url' parameter should be set to '../.htaccess' to inject the path. After the user is created, the same user can delete the avatar by sending a request to the '/users/ajax' endpoint, specifying the action to delete the photo and the user ID of the newly created user. This process will result in the deletion of the .htaccess file from the '/storage/app/public' folder.

Remediation

Users are advised to update FreeScout to version 1.8.180 or later, where this vulnerability has been patched.