Lack of data validation - Path Traversal In github.com/filebrowser/filebrowser/v2
Description
File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login
Summary
The JSONAuth.Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint.
Details
The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow.
This difference in execution path creates a measurable timing discrepancy:
Invalid User: ~1ms execution (Database lookup only). Valid User: ~50ms+ execution (Database lookup + Bcrypt hashing).
In auth/json.go:
// auth/json.go line 54 u, err := usr.Get(srv.Root, cred.Username) // VULNERABILITY: // If 'err != nil' (User not found), the OR condition short-circuits. // The second part (!users.CheckPwd) is NEVER executed. // // If 'err == nil' (User found), the code MUST execute users.CheckPwd (Bcrypt). if err != nil || !users.CheckPwd(cred.Password, u.Password) {...
PoC
The following Python script automates the attack. It first calibrates the network latency using random (non-existent) users to establish a baseline/threshold, and then tests a list of target usernames. Valid users are detected when the response time exceeds the calculated threshold.
import requests import time import random import string import statistics import argparse CALIBRATION_SAMPLES = 20...
For example, in this case, I have guchihacker as the only valid user in the application.
I am going to use the exploit to list valid users.
As we can see, the user guchihacker has been confirmed as a valid user by comparing the server response time.
Impact
An unauthenticated remote attacker can enumerate valid usernames. This significantly weakens the security posture by facilitating targeted brute-force attacks or credential stuffing against specific, known-valid accounts (e.g., 'admin', 'root', employee names).
I remain at your disposal for any questions you may have on this matter. Thank you very much.
Sincerely, Felix Sanchez (GUCHI)
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go | 2.55.0 | ||
go | - |
Aliases
References