File Browser Allows Access to Restricted Folders via Path Traversal

Summary

A vulnerability in the file browser's copy and rename feature allows authorized users to bypass restrictions and access folders they shouldn't be able to access. This can happen when a user includes special path characters, like '..', in the destination folder name. To fix this, update the file browser to properly handle these characters and prevent unauthorized access.

What to do

Update github.com filebrowser to version 2.62.0.

Affected software

Vendor	Product	Affected versions	Fix available
github.com	filebrowser	<= 2.61.2	2.62.0

Original title

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal t...

Original description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler (http/resource.go). The destination path in resourcePatchHandler is validated against access rules before being cleaned/normalized, while the actual file operation calls path.Clean() afterward—resolving .. sequences into a different effective path. This allows an authenticated user with Create or Rename permissions to bypass administrator-configured deny rules (both prefix-based and regex-based) by injecting .. sequences in the destination parameter of a PATCH request. As a result, the user can write or move files into any deny-rule-protected path within their scope. However, this cannot be used to escape the user's BasePathFs scope or read from restricted paths. This issue has been fixed in version 2.62.0.

ghsa CVSS3.1 6.5

Vulnerability type

CWE-22 Path Traversal

CWE-863 Incorrect Authorization