Headline
CVE-2023-39612: Potential XSS in FileBrowser leads to Admin account takeover in Filebrowser · Issue #2570 · filebrowser/filebrowser
A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate privileges to Administrator via user interaction with a crafted HTML file or URL.
Description
A Cross-Site Scripting vulnerability is discovered in FileBrowser in which an attacker with a non-admin user account inside the FileBrowser instance can create malicious HTML & JS files, craft them in a specific way and send the HTML file’s link to the Admin to achieve Account takeover via XSS bypassing the Content-Security-Policy.
Proof of Concept
// xss.js
// xss.htm
<script src="/api/raw/poc/xss.js?auth=[jwt_token of the Low Privileged user]"></script>"
Create a folder named “poc” as the non-admin user.
Create the 2 files as above (xss.htm and xss.js) under the poc folder.
Craft the XSS URL as below and open it as the Admin user to verify the XSS.
http://your_filebrowser_ip:port//api/raw/poc/xss.htm?auth=[non-admin user’s jwt token]&inline=true
It will trigger an alert pop-up with Admin’s Cookie.
Explanation
The parameter "?auth=[non-admin token]" is added in the URL so that when the Admin opens the URL it will fetch those html/js files that are created by the non-admin user, otherwise FileBrowser will use the Admin’s original jwt token that’s been stored as Cookie thus leading to a “404 Not Found” Error. This is because those files are created by the non-admin user, so if the API tries to fetch them with Admin’s token it will lead to an error, the API also accepts the jwt token inside a URL get parameter "?auth=". So, the non-admin user can deliberately supply his own JWT token in the malicious URL for a successful exploitation
The “?inline=true” parameter is included in the crafted URL because without that parameter FileBrowser will treat the HTML file as an attachment and will download it as a file, so by having “inline=true” the HTML file will be treated as a webpage, and execute the javascript.
Content-Security-Policy(CSP) is bypassed because of the fact that FileBrowser sets CSP “default-src” to 'self’. As the malicious JS is also loaded from the same site, it will get executed.
Impact
This vulnerability is capable of Admin account takeover. Admin can even run system shell commands and access filesystem, thus leads to Arbitrary Command execution.