File Browser Self-Registration Vulnerability Grants Unauthenticated Users Admin Rights

A vulnerability in File Browser versions through 2.61.2 allows any unauthenticated visitor to register as a full administrator. This issue arises when self-registration is enabled and the default user permissions include admin rights. The signup handler automatically applies all default settings, including admin permissions, to new users without any server-side checks to remove admin rights from self-registered accounts. Consequently, if an admin inadvertently sets the default to grant admin rights and enables signup, all accounts created through the public registration endpoint will have full administrative privileges.

Impact

Exploitation of this vulnerability allows unauthenticated users to create admin accounts, which can lead to unauthorized access and control over all files, users, and server settings. Additionally, if the 'enableExec' option is active, it could allow the execution of arbitrary commands on the server.

Reproduction

To reproduce this vulnerability, first, deploy File Browser version 2.61.2 or earlier with self-registration enabled and default user permissions set to grant admin rights. Afterward, register a new account through the public signup endpoint. The newly created account will have admin privileges, allowing access to admin-only endpoints and settings.

Remediation

Users can upgrade to File Browser version 2.62.0 or later, where this vulnerability has been fixed.