File Browser Command Execution Vulnerability Allows Unauthorized File Access

A vulnerability in File Browser version 2.32.0 allows users with command execution permissions to run shell commands that bypass file access restrictions. This could lead to unauthorized read and write access to all files managed by the server, including sensitive database files containing password hashes. The vulnerability arises because executed commands have full access to the application's file scope, regardless of the user's assigned permissions. Exploitation is possible by any user with the 'Execute Commands' permission and allowed commands.

Impact

Exploitation of this vulnerability could result in unauthorized access to all files managed by the application, including those outside the user's assigned scope. Additionally, it allows access to the File Browser database file, which contains password hashes for all accounts. This could enable an attacker to perform an offline dictionary attack on user passwords, although the use of bcrypt hashing provides some level of protection. Furthermore, write access to the database could allow an attacker to change password hashes, impersonating any user, including administrators.

Reproduction

To reproduce this vulnerability, first, ensure that a user account has the 'Execute Commands' permission enabled. Once logged in, execute a command that is permitted under the current user's scope. The command will run with the server process's user ID, bypassing scope restrictions, and can be used to access or modify files across all scopes, including extracting sensitive information from the File Browser database.

Remediation

Users are advised to disable the 'Execute Commands' feature for all accounts, as it is inherently risky and not required for most deployments. File Browser can be run from a distroless container image, which adds an extra layer of security by minimizing the available runtime environment.