File Browser Command Execution Allowlist Bypass Vulnerability

A command execution vulnerability has been identified in File Browser versions prior to 2.33.10. The issue arises from an incorrect implementation of the allowlist feature, which is intended to restrict users to executing only predefined shell commands. This flaw allows users to execute additional commands beyond their authorized permissions. The impact of this vulnerability varies based on the specific commands allowed and the binaries available on the server or within the container image. Notably, the lack of proper scope separation at the operating system level could enable an attacker to access all files managed by the application, including the File Browser database.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of shell commands, with potential access to all files managed by the application, including the File Browser database.

Reproduction

To reproduce this vulnerability, grant a user the 'Execute commands' permission and restrict them to using only the 'ls' command. Once this is set, the user can execute 'lsof' and 'lsusb', demonstrating the allowlist bypass.

Remediation

Users can update to File Browser version 2.33.10 or later, where this vulnerability has been patched.