FileBrowser Quantum Unauthenticated Path Traversal Vulnerability Allowing Arbitrary File Deletion

A path traversal vulnerability has been identified in FileBrowser Quantum versions prior to 1.3.1-stable and 1.3.9-beta. The issue arises because attacker-controlled path inputs are concatenated with a trusted base path before proper sanitization. This flaw allows traversal sequences, such as '../', to escape the designated shared directory. Consequently, an unauthenticated attacker with a valid public share hash that includes delete permissions can remove arbitrary files outside the shared directory, within the storage scope configured by the share owner. The vulnerability impacts both the public/api/resources endpoint and the public/api/resources/bulk endpoint.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of files, leading to data loss and potential disruption of services.

Reproduction

To reproduce this vulnerability in a stable version, create a directory structure with a shared subdirectory and a protected file outside of it. Then, create a public share in the shared subdirectory with delete permissions enabled. Finally, send a DELETE request to the public/api/resources endpoint, including the hash and a path that traverses out of the shared directory. The protected file will be deleted, demonstrating the vulnerability. This can also be reproduced in the development version using the public/api/resources/bulk endpoint by sending a similar request with the path traversal included in the request body.

Remediation

Users can update to FileBrowser Quantum versions 1.3.1-stable or 1.3.9-beta to address this vulnerability.