File Browser Command Execution Vulnerability Allowing Arbitrary Code Execution

A vulnerability in the Command Execution feature of File Browser version 2.32.0 allows users with 'Execute commands' permissions to execute arbitrary shell commands, bypassing a predefined allowlist. This is possible because many standard commands can be exploited to run additional commands. As a result, an attacker could gain full code execution rights under the user ID of the server process. The vulnerability arises from the flawed implementation of the command execution functionality, which has been repeatedly highlighted as problematic.

Impact

Exploitation of this vulnerability leads to arbitrary code execution on the server, with the executed code running under the user ID of the server process.

Reproduction

To reproduce this vulnerability, a user must have an account with 'Execute commands' permissions. Once logged in, the user can execute allowed commands that can be manipulated to run additional commands. For example, the 'find' command can be used with the '-exec' flag to execute a command like 'curl' to make a network request to an external server.

Remediation

Users are advised to disable the 'Execute commands' feature for all accounts, as it is inherently risky. File Browser can be configured to completely turn off this feature. Additionally, organizations should consider using a distroless container image for added security.