FreshRSS Directory Enumeration Vulnerability

A directory enumeration vulnerability has been identified in FreshRSS versions 1.26.3 and prior. By manipulating the theme field to include specific path references, attackers can determine the existence of certain directories on the server. This could lead to the disclosure of additional information about the server's environment. The vulnerability arises because FreshRSS does not properly validate theme paths before applying them, allowing for the injection of directory traversal sequences. Exploitation involves sending a crafted theme parameter that references directories containing sensitive metadata, which FreshRSS then processes as valid themes.

Impact

Successful exploitation allows for directory enumeration, where an attacker can verify the existence of specific directories and potentially infer information about the server's software and configuration.

Reproduction

To reproduce this vulnerability, navigate to the display settings in FreshRSS and submit the form with Burp Suite proxy enabled. After submission, check the response for indications of directory existence, such as broken CSS, which suggests the directory is present.

Remediation

Users can upgrade to FreshRSS version 1.27.0 or later, where this vulnerability has been patched.