File Browser Proxy Authentication Auto-Provisioning Execution Permission Vulnerability

A vulnerability in File Browser prior to version 2.63.1 allows users auto-created through the proxy authentication process to inherit execution permissions and commands from global defaults. This issue arises because the proxy authentication handler does not apply the same restrictions as the signup handler, which prevents self-registered users from receiving execution rights. As a result, automatically provisioned accounts via proxy authentication can execute commands that were not explicitly granted by an administrator.

Impact

Users auto-provisioned through proxy authentication on first login inherit execution rights and default commands, violating the project's security policy that prohibits automatic accounts from receiving such permissions. This issue undermines the intended permission management and could lead to unauthorized command execution.

Reproduction

The vulnerability can be reproduced by configuring File Browser to use proxy authentication and enabling default commands that include execution capabilities. After logging in as an admin, a new user can be auto-created via the proxy header. The permissions for this new user will reflect the inherited execution rights and commands, demonstrating the vulnerability.

Remediation

Users can update to File Browser version 2.63.1, where this vulnerability has been fixed.