File Browser TUS Protocol DELETE Endpoint Access Control Vulnerability

A broken access control vulnerability has been identified in File Browser versions prior to 2.61.1, specifically within the TUS protocol DELETE endpoint. This vulnerability allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended restriction that requires Delete permission. The issue arises in multi-user deployments where administrators have explicitly restricted file deletion for certain users.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of files and directories by users who should not have the right to perform such actions, undermining the application's access control model.

Reproduction

To reproduce this vulnerability, first create a test user with Create permission enabled and Delete permission disabled. After logging in as this user, attempt to delete a file using the standard resource DELETE endpoint, which should be blocked due to the lack of Delete permission. Then, initiate a TUS upload to register the file in the upload cache and immediately issue a TUS DELETE request for the same file. The request will succeed, deleting the file despite the user's Delete permission being disabled.

Remediation

Users can upgrade to File Browser version 2.61.1 or later, where this vulnerability has been patched.