FreeScout Remote Code Execution Vulnerability via Improper File Upload Restrictions

A remote code execution vulnerability exists in FreeScout versions prior to 1.8.206 due to inadequate file upload restrictions. The application allows the upload of .htaccess files, which can be exploited on Apache servers with AllowOverride All enabled. An authenticated user can upload a .htaccess file to modify how files are processed, potentially leading to remote code execution. This vulnerability can be exploited independently or in conjunction with another identified vulnerability in FreeScout.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where FreeScout is hosted, specifically on Apache-based deployments. An authenticated attacker can execute arbitrary commands, manipulate files, access sensitive data including database credentials, and potentially pivot to other services or internal networks.

Reproduction

To reproduce this vulnerability, an authenticated user must upload a .htaccess file through the conversation reply attachment feature. The uploaded .htaccess file can then be used to execute PHP code by first uploading a .txt file containing the PHP code, and then accessing the .txt file directly with a command parameter.

Remediation

Users can update to FreeScout version 1.8.206 or later, where this vulnerability has been patched.