File Browser Access Rule Bypass Vulnerability

A path-based access rule bypass vulnerability has been identified in File Browser versions through 2.62.2. The issue arises in the Matches() function within rules/rules.go, which uses strings.HasPrefix() for path matching without a trailing directory separator. This flaw allows a rule for '/uploads' to inadvertently match '/uploads_backup/', granting access to unintended directories. The vulnerability is rooted in the lack of proper directory boundary enforcement when applying access rules, particularly for non-regex path matches.

Impact

Exploitation of this vulnerability allows authenticated users to access files in sibling directories that share a common prefix with an allowed directory, bypassing the intended access controls set by administrators.

Reproduction

To reproduce this vulnerability, an admin user can configure an access rule that allows a specific directory, such as '/shared', for a restricted user. If the filesystem contains a sibling directory, like '/shared_private', and the user requests a file from that restricted directory, the access rule will be incorrectly applied, granting access to unintended files.

Remediation

Users can upgrade to File Browser version 2.63.1 or later, where this vulnerability has been fixed.