<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>FileBrowser (All Versions Supporting Proxy Authentication) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/filebrowser-all-versions-supporting-proxy-authentication/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 19:37:06 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/filebrowser-all-versions-supporting-proxy-authentication/feed.xml" rel="self" type="application/rss+xml"/><item><title>FileBrowser Authentication Bypass via Forged Proxy Authentication Header</title><link>https://feed.craftedsignal.io/briefs/2026-07-filebrowser-auth-bypass/</link><pubDate>Fri, 10 Jul 2026 19:37:06 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-filebrowser-auth-bypass/</guid><description>An unauthenticated attacker can impersonate any user, including administrators, or automatically create new user accounts in FileBrowser by forging the `X-Remote-User` HTTP header when the server is configured for proxy authentication and is directly reachable, leading to full administrative control and unauthorized access to data.</description><content:encoded><![CDATA[<p>A critical authentication bypass vulnerability affects FileBrowser instances configured to use proxy authentication (<code>auth.method=proxy</code>) where the application server is directly exposed to untrusted networks. This allows any unauthenticated attacker to impersonate any existing user, including the administrator, by simply sending a forged <code>X-Remote-User</code> HTTP header during a POST request to the <code>/api/login</code> endpoint. Additionally, specifying a non-existent username in the forged header causes FileBrowser to automatically create a new user account with default permissions, providing an account creation primitive without authorization. This vulnerability stems from FileBrowser unconditionally trusting the <code>X-Remote-User</code> header without any origin validation or password verification, a behavior present across all versions that support this authentication method. This is a common misconfiguration for organizations using reverse proxies for SSO/LDAP/OAuth. Successful exploitation grants full administrative control over the FileBrowser instance and access to all hosted files.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a FileBrowser instance configured with <code>auth.method=proxy</code> that is directly reachable (i.e., not exclusively behind a trusted reverse proxy).</li>
<li>The attacker crafts an HTTP POST request to the <code>/api/login</code> endpoint, including a forged HTTP header, typically <code>X-Remote-User</code>, set to a target username such as <code>admin</code>.</li>
<li>FileBrowser's <code>ProxyAuth.Auth()</code> function receives the request and extracts the username from the <code>X-Remote-User</code> header, implicitly trusting its value without any origin validation (e.g., checking trusted IP addresses) or cryptographic verification.</li>
<li>If the specified username exists, FileBrowser retrieves the corresponding user object from its internal user store. If the username does not exist, the <code>createUser()</code> function is automatically invoked, creating a new user account with default permissions and a locked, random password.</li>
<li>The <code>loginHandler</code> proceeds to mint a valid JSON Web Token (JWT) for the impersonated or newly created user. This JWT contains the full permissions of the target user, including administrator privileges if <code>admin</code> was specified.</li>
<li>The attacker receives this valid JWT and uses it in subsequent HTTP requests by including it in the <code>X-Auth</code> header to interact with privileged endpoints (e.g., <code>/api/settings</code>, <code>/api/users</code>) or access specific user resources (e.g., <code>/api/resources/</code>).</li>
<li>The attacker achieves full administrative control over the FileBrowser instance, allowing modification of server settings, enumeration of all user accounts, and unauthorized access to all files and data within the application's scope.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability leads to complete compromise of the FileBrowser instance. Attackers gain full administrative control, allowing them to modify server configurations, create, delete, or modify files, and access sensitive data stored within the FileBrowser environment. This also enables the creation of arbitrary user accounts without authorization, potentially leading to further persistence or resource exhaustion. Organizations deploying FileBrowser behind reverse proxies, especially those exposing the application's port directly to an untrusted network (e.g., due to Docker container defaults or misconfigured cloud security groups), are at high risk of data breach and system compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Restrict direct access:</strong> Configure network firewalls or security groups to ensure the FileBrowser application is only accessible by trusted reverse proxies, preventing direct access from untrusted networks.</li>
<li><strong>Review logging</strong>: Deploy the provided Sigma rule to detect POST requests to <code>/api/login</code> containing the <code>X-Remote-User</code> header. Ensure web server logs capture the <code>X-Remote-User</code> HTTP header for effective detection.</li>
<li><strong>Update configuration:</strong> If direct exposure is unavoidable, consider switching <code>auth.method</code> from <code>proxy</code> to <code>json</code> and implementing alternative, more secure authentication mechanisms at the application layer or within a properly secured reverse proxy setup.</li>
<li><strong>Implement trusted proxy validation:</strong> If using <code>auth.method=proxy</code> is essential, implement stringent trusted proxy validation at the network layer or enhance FileBrowser with origin validation checks (e.g., by contributing a patch to verify <code>r.RemoteAddr</code> against a list of trusted IPs).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>authentication-bypass</category><category>web-vulnerability</category><category>privilege-escalation</category><category>file-browser</category><category>account-creation</category></item></channel></rss>