File Browser Text File Content Disclosure Vulnerability via Resource Endpoint Bypassing Download Permission Check

A vulnerability in File Browser prior to version 2.63.1 allows users with 'download: false' permission to access full text file content through the '/api/resources' endpoint. The issue arises because the 'resourceGetHandler' in 'http/resource.go' returns text content without verifying the necessary download permission. In contrast, the other content-serving endpoints ('/api/raw', '/api/preview', '/api/subtitle') properly check this permission before delivering content. This flaw enables unauthorized users to read any text file within their scope, potentially exposing sensitive information such as source code, configuration files, credentials, and API tokens stored as text.

Impact

Exploitation of this vulnerability allows users with 'download: false' permission to bypass restrictions and read the full content of text files within their authorized scope, up to a 10MB limit. This could include sensitive information like source code, configuration files, credentials, and API tokens.

Reproduction

The vulnerability can be reproduced by creating a user with 'download: false' permission, logging in as that user, and then accessing the '/api/resources' endpoint with the 'X-Encoding: true' header. This will return the raw content of the requested text file, bypassing the download permission check. Alternatively, the '/api/resources' endpoint can be called without the 'X-Encoding' header, and the response will include the file content in the JSON payload, also bypassing the permission check.

Remediation

Users are advised to update File Browser to version 2.63.1 or later, where this vulnerability has been fixed.