Detection Guidance

This vulnerability can be detected by checking if the File Browser instance allows unauthenticated users to self-register and inherit Execute permissions along with a Commands list from the default user template.

One way to detect the vulnerability is to attempt self-registration via the signup API and inspect the resulting JWT token for Execute permissions.

Example commands to test the vulnerability include:

• Use curl to self-register a new user: curl -X POST -d '{"username":"testuser","password":"testpass"}' https://<filebrowser-server>/api/signup
• Login with the new user to receive a JWT token: curl -X POST -d '{"username":"testuser","password":"testpass"}' https://<filebrowser-server>/api/login
• Inspect the JWT token payload to check if the Execute permission is present.
• Use a WebSocket client (e.g., wscat) to connect to the command execution endpoint and attempt to run commands: wscat -c wss://<filebrowser-server>/api/command/
• Send commands such as: bash -c 'id && hostname && cat /etc/passwd | head -3' to verify if arbitrary command execution is possible.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated users to gain shell execution capabilities on the server by self-registering. This means attackers can run arbitrary commands on the server, potentially leading to full system compromise, data theft, data loss, or disruption of services.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated users who self-register to inherit shell execution capabilities and run arbitrary commands on the server. Such unauthorized access and control over server operations can lead to data breaches, unauthorized data manipulation, and potential exposure of sensitive information.

Consequently, this could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data access, integrity, and confidentiality. The ability for unauthorized users to execute commands on the server may violate these requirements by compromising data security and privacy.

The issue has been patched in version 2.62.2, so updating to this version or later is critical to maintaining compliance.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in File Browser versions prior to 2.62.2. The signupHandler applies default user permissions but only removes the Admin permission. It does not remove the Execute permission or the Commands list from the default user template. As a result, if an administrator enables signup, server-side execution, and sets Execute=true in the default user template, any unauthenticated user who self-registers gains shell execution capabilities and can run arbitrary commands on the server.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade File Browser to version 2.62.2 or later, where the issue has been patched.

Additionally, review and adjust the default user template permissions, especially the Execute permission and Commands list, to ensure that unauthenticated users cannot inherit shell execution capabilities.

If signup is enabled, consider disabling it temporarily until the patch is applied.

Useful 0 Not Useful 0