Impact
User configuration files can be accessed remotely, if an attacker can guess usernames. In addition to user preferences, such configurations contain hashed passwords (brypt with cost 9, salted) of FreshRSS Web interface. If the API is used, the configuration might contain a hashed password (brypt with cost 9, salted) of the GReader API, and a hashed password (MD5 salted) of the Fever API.
If using SQLite as a database, the database of a the given user can also be accessed.
Patches
Administrators should update to version 1.20.2 or edge.
Then, users should change their FreshRSS and potentially API passwords.
Workarounds
Besides updating (recommended), admins of older systems can apply the patch manually, or delete the file ./FreshRSS/p/ext.php (which will break some extensions).
References
#4928
Credits
Reported by @c3l3si4n
Impact
User configuration files can be accessed remotely, if an attacker can guess usernames. In addition to user preferences, such configurations contain hashed passwords (brypt with cost 9, salted) of FreshRSS Web interface. If the API is used, the configuration might contain a hashed password (brypt with cost 9, salted) of the GReader API, and a hashed password (MD5 salted) of the Fever API.
If using SQLite as a database, the database of a the given user can also be accessed.
Patches
Administrators should update to version 1.20.2 or edge.
Then, users should change their FreshRSS and potentially API passwords.
Workarounds
Besides updating (recommended), admins of older systems can apply the patch manually, or delete the file
./FreshRSS/p/ext.php(which will break some extensions).References
#4928
Credits
Reported by @c3l3si4n