File Browser Incorrect Default File Permissions Vulnerability

A vulnerability exists in File Browser versions through 2.33.6, where files uploaded or created by the application do not have their access permissions explicitly set. This issue, combined with the default umask configuration on standard Linux servers, makes these files readable by any operating system account. The vulnerability also extends to the application's database, which contains sensitive information such as password hashes. On Docker-based deployments, the same permission issues occur within the container.

Impact

The vulnerability allows all operating system accounts on the server, as well as other applications running on the same server, to read the files managed by File Browser and its database. Additionally, any File Browser user with command execution privileges can access the content of these files.

Reproduction

To reproduce this vulnerability, upload or create a file using the File Browser GUI. Then, list the directory contents from a shell to verify the file permissions. The default permissions will be world-readable. This vulnerability can also be reproduced in a Docker container running File Browser by uploading files and checking the permissions via the command line.

Remediation

Users can manually change the permissions of the affected files and the database to restrict access. After updating to version 2.33.7, which addresses the vulnerability by setting the correct permissions, site administrators should run a command to remove read permissions for the 'other' category from the File Browser data directory.