FileRise ONLYOFFICE Integration Access Control Vulnerability Allowing Arbitrary File Overwrite

A broken access control vulnerability has been identified in FileRise, a self-hosted web file manager and WebDAV server, prior to version 3.10.0. The issue arises in the ONLYOFFICE integration, where an authenticated user with read-only access can obtain a signed save callback URL for a file. This URL can be forged to overwrite the file with content controlled by the attacker. The vulnerability exists because the ONLYOFFICE callback handler trusts user-supplied data to authorize write operations, allowing unauthorized modifications to files.

Impact

Exploitation of this vulnerability allows read-only users to overwrite files they should not be able to modify, potentially leading to unauthorized file changes, integrity compromises of shared documents, and the introduction of malicious content that could be accessed by other users.

Reproduction

To reproduce this vulnerability, an authenticated user with read-only access must request the ONLYOFFICE configuration for a file. The response will include a signed callback URL, which can then be used to forge a callback request that overwrites the targeted file with content from an attacker-controlled source.

Remediation

Users can update to FileRise version 3.10.0, which addresses this vulnerability by tightening the authorization process for ONLYOFFICE callbacks. Instructions for downloading the latest version are available on the FileRise GitHub releases page.