Download privilege escape with plugins

rejetto / hfs

HFS is a web file server to run on your computer. Share folders or even a single file thanks to the virtual file system.

GNU General Public License v3.0

2.34k stars 233 forks source link

Download privilege escape with plugins #728

Closed cbr00t closed 2 months ago

cbr00t commented 2 months ago

It is possible to download files/folders with the (can_see) permission that appear in the File List through plugins that perform Show, Preview, Play Media ... etc. operations. This situation allows the (can_download: false) permission to be exceeded.

Only the way to prevent this is (can_see = false) permission.

rejetto commented 2 months ago

but what happens when you click on one of those, like show?

cbr00t commented 2 months ago

Sorry, my mistake. The data it shows is not the file content, it is the HFS Web Page interface again, it just shows HTML information as text.

rejetto commented 2 months ago

ok, but this has brought to my attention that these plugins are not currently able to determine that they fail at getting the file. I'll take care of it.