Compliance Impact

This vulnerability allows a scoped, non-admin user with only Create permission to delete arbitrary files outside their designated scope, including other tenants' data and the application's database. Such unauthorized deletion of data can lead to significant integrity and availability issues.

Because the vulnerability enables cross-tenant data deletion and potential denial-of-service by deleting critical files such as the database, it can result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over data integrity, availability, and confidentiality.

Specifically, the ability to delete other tenants' data violates principles of data isolation and protection, potentially leading to data loss, unauthorized data manipulation, and service disruption, all of which are critical compliance concerns under these standards.

Useful 0 Not Useful 0

Executive Summary

This vulnerability affects File Browser versions prior to 2.63.16 and involves a scoped, non-admin user who only has the Create permission. Such a user can delete arbitrary files outside their allowed scope, including other tenants' data and the application's database, by exploiting the upload failure-cleanup process.

The root cause is that the ScopedFs containment wrapper, which is supposed to restrict file operations to a user's designated scope, does not enforce its symlink guard on the delete operation path. Specifically, the RemoveAll function bypasses this guard.

If a directory symlink that escapes the user's scope already exists within their allowed directory (for example, created by an admin or through mounted volumes), the user can exploit this to delete files outside their permitted boundaries, bypassing both the scope restrictions and the Delete permission gate.

This vulnerability is fixed in File Browser version 2.63.16 by adding the symlink guard to the Remove and RemoveAll functions and improving containment checks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized deletion of files outside a user's scope.

• Cross-tenant data deletion, meaning data belonging to other users or tenants can be deleted by an unauthorized user.
• Deletion of the application's own database directory, potentially causing a full-instance denial-of-service.

Overall, it compromises data integrity and availability, which can disrupt normal operations and lead to data loss.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying whether a scoped, non-admin File Browser user with Create permission can delete files outside their scope by exploiting symlinks.

Specifically, detection should focus on checking for the presence of escaping directory symlinks within user scopes that could be used to bypass ScopedFs boundaries.

Commands to detect such symlinks on the system might include:

• Find symbolic links inside user directories that point outside their allowed scope, for example: `find /path/to/user/scoped/dir -type l -exec ls -l {} +`
• Check for unusual deletions or failed upload cleanup logs in File Browser logs that might indicate exploitation attempts.
• Audit user permissions to confirm if any non-admin users have Create permission that could be abused.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading File Browser to version 2.63.16 or later, where the vulnerability is fixed.

Until the upgrade can be applied, restrict or remove Create permissions from scoped, non-admin users to prevent exploitation.

Additionally, audit and remove any escaping directory symlinks within user scopes that could be used to bypass ScopedFs boundaries.

Consider monitoring and restricting out-of-band methods that could plant such symlinks, such as admin actions, mounted volumes, or backup restorations.

Useful 0 Not Useful 0