Description:
A High security vulnerability has been identified in the Free Scout Application, which exposes SMTP server credentials used by an organization in the application to users of the application. This issue arises from the application storing complete stack traces of exceptions in its database. The sensitive information is then inadvertently disclosed to users via the /conversation/ajax-html/send_log?folder_id=&thread_id={id} endpoint. The stack trace reveals value of parameters, including the username and password, passed to the Swift_Transport_Esmtp_Auth_LoginAuthenticator->authenticate() function.
Impact:
Exploiting this vulnerability allows an attacker to gain unauthorized access to SMTP server credentials. With this sensitive information in hand, the attacker can potentially send unauthorized emails from the compromised SMTP server, posing a severe threat to the confidentiality and integrity of email communications. This could lead to targeted attacks on both the application users and the organization itself, compromising the security of email exchange servers.
Mitigation:
To address this vulnerability, it is essential to adopt the following measures:
- Avoid Storing Complete Stack Traces:
- Modify the application's exception-handling mechanism to avoid storing complete stack traces in the database. Only generic error information should be retained to prevent the exposure of sensitive credentials.
- Sensitive Data Redaction:
- Implement redaction mechanisms to filter and exclude sensitive information, such as SMTP server credentials, from exception stack traces. This ensures that only essential details are logged.
- Enhance Logging Practices:
- Review and enhance the application's logging practices to strike a balance between providing useful debugging information and protecting sensitive data. Log only what is necessary for diagnostics without compromising security.
Steps to Reproduce:
- Go to the demo FreeScout Application, provided by FreeScout at https://demo.freescout.net/.
- Login as a support agent.
- Create a new conversation, with dummy data and send the message.
- Wait for 5 minutes.
- Go to the conversation that you initiated by going to the Sent Tab.
- You will see a "Message not sent to customer" error.
- Click on View log, and you will see a stack trace error.
- Locate the parameters being sent to the authenticate function. In the screenshots, I have highlighted the credentials for reference.
Evidence:
UmerAdeemCheema Reporter
Description:
A High security vulnerability has been identified in the Free Scout Application, which exposes SMTP server credentials used by an organization in the application to users of the application. This issue arises from the application storing complete stack traces of exceptions in its database. The sensitive information is then inadvertently disclosed to users via the
/conversation/ajax-html/send_log?folder_id=&thread_id={id}endpoint. The stack trace reveals value of parameters, including the username and password, passed to theSwift_Transport_Esmtp_Auth_LoginAuthenticator->authenticate()function.Impact:
Exploiting this vulnerability allows an attacker to gain unauthorized access to SMTP server credentials. With this sensitive information in hand, the attacker can potentially send unauthorized emails from the compromised SMTP server, posing a severe threat to the confidentiality and integrity of email communications. This could lead to targeted attacks on both the application users and the organization itself, compromising the security of email exchange servers.
Mitigation:
To address this vulnerability, it is essential to adopt the following measures:
Steps to Reproduce:
Evidence: