FileRise WebDAV Filename Validation Bypass Vulnerability Leading to Remote Code Execution

A vulnerability in FileRise, a self-hosted web file manager and WebDAV server, allows for remote code execution in versions prior to 3.8.0. The issue arises because the WebDAV upload endpoint accepts any file extension, including those associated with server-side executable types, bypassing the filename validation required by the regular upload path. In non-default deployments without Apache's LocationMatch protection, this vulnerability can be exploited. The problem stems from the createFile() method in FileRiseDirectory.php and the put() method in FileRiseFile.php, which accept filenames directly from the WebDAV client without validation. This vulnerability is fixed in version 3.8.0.

Impact

Exploitation of this vulnerability in default deployments results in unrestricted arbitrary file write on the server filesystem. In non-default deployments, uploaded files with executable extensions could be accessed and executed as PHP, leading to full remote code execution.

Reproduction

The vulnerability can be reproduced by uploading files with dangerous extensions through the WebDAV upload endpoint. This can be done using a WebDAV client or by manually sending HTTP PUT requests with the desired file names and contents. After uploading, the files can be accessed directly from the server, and if the deployment lacks the default Apache protections, the uploaded PHP files will be executed, confirming the remote code execution.

Remediation

Users can update to FileRise version 3.8.0, which addresses this vulnerability by normalizing WebDAV write filenames, centralizing filename validation for uploads, and blocking dangerous file types such as .htaccess and executable extensions.