File Browser Path-Based Access Control Bypass Vulnerability

A path-based access control bypass vulnerability has been identified in File Browser versions prior to 2.57.1. This vulnerability allows authenticated users to circumvent 'Disallow' file path rules by altering the request URL. By inserting multiple slashes into the path, the authorization check fails to properly enforce the rules, while the underlying filesystem correctly resolves the path, thereby granting unauthorized access to restricted files. The issue arises from the application's URL path normalization and rule matching processes, which can be exploited to access files that should be off-limits.

Impact

Exploitation of this vulnerability allows users to access files they are not permitted to, violating established access controls. Additionally, users with general write permissions can exploit this vulnerability to manipulate files in restricted directories, such as renaming, deleting, or modifying them.

Reproduction

To reproduce this vulnerability, an authenticated user must first have 'Disallow' rules applied to specific file paths. Once this is established, the user can bypass these rules by sending a request that includes multiple leading slashes in the URL path. The application will fail to correctly apply the 'Disallow' rule, and the filesystem will resolve the path as if it were a single slash, allowing access to restricted files.

Remediation

Users can upgrade to File Browser version 2.57.1 or later, where this vulnerability has been patched.