FreshRSS Authentication Bypass Vulnerability Allowing Unauthorized Feed Access

An authentication bypass vulnerability has been identified in FreshRSS versions prior to 1.28.0. This issue arises from a flaw in the authentication logic concerning master authentication tokens, which allows unauthorized access to feeds of any user when anonymous viewing is enabled. Typically, only the default user's feed should be accessible under these conditions, while other users' feeds remain private. The vulnerability also enables the leakage of authentication tokens from the viewed feeds, which can be exploited even after the vulnerability is patched or when anonymous viewing is disabled.

Impact

Exploitation of this vulnerability allows unauthorized access to any user's feed data, bypassing privacy restrictions. Additionally, it enables the leakage of master authentication tokens from the accessed feeds, which can be misused after the vulnerability is resolved.

Reproduction

To reproduce this vulnerability, create a test user and enable anonymous viewing. After logging out, access the application and request a feed using the vulnerable authentication token parameter. This will bypass the authentication checks and grant access to the specified user's feed.

Remediation

Users can update to FreshRSS version 1.28.0 or later, where this vulnerability has been fixed.