FreeScout Arbitrary File Write Vulnerability in Module Installation Feature Allowing Remote Code Execution

A critical vulnerability in FreeScout's module installation feature prior to version 1.8.215 allows authenticated administrators to perform arbitrary file writes on the server filesystem. This issue arises because the application extracts ZIP archives without validating file paths, creating a Zip Slip vulnerability. Exploitation of this flaw could lead to remote code execution by writing a malicious PHP file to the webroot.

Impact

Exploitation of this vulnerability allows for arbitrary file writes on the server, with the potential for remote code execution if a PHP file is written to the webroot.

Reproduction

To reproduce this vulnerability, create a ZIP archive containing a file with a path traversal payload, such as '../../../../../public/pwned.php'. Then, upload this ZIP archive through the FreeScout module installation interface. The crafted file will be extracted to the application's webroot, executing the uploaded PHP file and demonstrating the remote code execution impact.

Remediation

Users can update to FreeScout version 1.8.215 or later, where this vulnerability has been patched.