File Browser Path Traversal Vulnerability Allowing Access Rule Bypass

A path traversal vulnerability has been identified in File Browser versions through 2.61.2. The issue arises in the resourcePatchHandler, where the destination path is validated against access rules before being normalized. This flaw allows authenticated users with Create or Rename permissions to bypass deny rules by injecting dot-dot sequences into the destination parameter of a PATCH request. Exploiting this vulnerability enables users to write or move files into paths protected by deny rules, although it cannot be used to escape the user's BasePathFs scope or read from restricted paths.

Impact

Exploiting this vulnerability allows authenticated users with Copy or Rename permissions to bypass access rules and write or move files into denied paths within their scope.

Reproduction

To reproduce this vulnerability, first verify that the deny rule for a restricted path is enforced by attempting to copy a file into that path, which should return a 403 Forbidden status. Then, exploit the vulnerability by injecting dot-dot sequences into the destination parameter of a PATCH request, effectively bypassing the deny rule and copying the file into the restricted path.

Remediation

Users can upgrade to File Browser version 2.62.0 or later to address this vulnerability.