FreeScout Authentication Bypass and Information Disclosure Vulnerability in System Controller

A vulnerability exists in FreeScout prior to version 1.8.213, allowing unauthenticated access to diagnostic and system tools meant for administrators. The issue is rooted in the SystemController, where several administrative routes, including '/system/cron/{hash}', are accessible without authentication. The '/system/cron' endpoint uses a static MD5 hash derived from the APP_KEY, which is exposed in the response and logs. This vulnerability leads to Full Path Disclosure, unauthorized access to sensitive server information, and allows for Denial-of-Service by repeatedly triggering resource-intensive background tasks without any rate limiting. The cron hash, generated by concatenating the APP_KEY with a specific string and hashing it, can be exposed through GET requests, server logs, and browser history. The lack of rate limiting also enables automated resource exhaustion and brute-force attacks on the cron endpoint.

Impact

Exploitation of this vulnerability causes unauthorized access to admin-only diagnostic tools and status pages, leading to information disclosure of internal server paths and system configurations. Additionally, it allows for resource exhaustion by triggering heavy cron tasks repeatedly, causing high CPU usage.

Reproduction

The vulnerability can be reproduced by sending requests to the '/system/cron/{hash}' endpoint with a valid hash derived from the APP_KEY. This can be automated with a Python script that brute-forces the hash using a wordlist. The '/system/status' endpoint can also be accessed without authentication, revealing sensitive server information.

Remediation

Users are advised to update to FreeScout version 1.8.213 or later. After updating, if cron jobs were run via the special URL method, ensure to use the updated URL.