File Browser Default Permission Inheritance Vulnerability Allows Unauthenticated Command Execution

A vulnerability in File Browser prior to version 2.62.2 allows unauthenticated users to execute arbitrary commands on the server. This issue arises because the application’s signup handler improperly manages user permissions. While it removes Admin rights from the default user template, it fails to strip the Execute permission and the associated Commands list. As a result, when an administrator enables self-registration and server-side command execution, any unauthenticated user who self-registers can inherit these execution capabilities and run commands on the server.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server with the privileges of the File Browser process. This could lead to a complete server compromise, especially if the process runs as root.

Reproduction

To reproduce this vulnerability, an administrator must first enable public self-registration and server-side command execution, while setting the default user template to include execution permissions and a list of commands. Once these settings are configured, an unauthenticated user can self-register and will inherit the execution rights and commands specified in the default template. After logging in, the user can execute commands via a WebSocket connection, bypassing normal authentication checks.

Remediation

Users should update to File Browser version 2.62.2 or later, where this vulnerability has been patched.