File Browser Password Protection Bypass Vulnerability

A vulnerability exists in File Browser versions through 2.32.0, allowing for unprotected sharing of files via direct download links. The issue arises from an error-prone implementation of password protection for shared links. Users can inadvertently share unprotected links, which can be accessed by anyone with the link, potentially leading to unauthorized download of sensitive files.

Impact

This vulnerability can lead to unauthorized access and download of files that users believed were password protected, creating a false sense of security.

Reproduction

When a file is shared, the user can optionally set a password for protection. However, if the wrong link is shared or if the link is copied after the password has been used, the shared file can be accessed without a password. The unprotected link can then be used to download the file, bypassing the intended password protection.

Remediation

Users should be cautious when sharing files and ensure that the correct link is used. File Browser has released a version 2.34.2 to mitigate user error by removing the unprotected download link from the sharing interface. However, this does not address the unprotected links that may already exist in logs or browser history.