So happy you completely removed the command execution feature but please check these Filebrowser issues

[xX-MrN0b0dy-Xx]

On the main filebrowser repo, a lot of people experienced crypto miners on their instance (also a friend of mine) or similar RCE attempts (the one linked is pretty recent btw).

I used filebrowser for months on multiple instances and never had a problem... After that issue, I also tried to run multiple instances in a sandboxed VM and exposed them with subdomains, but still, never been able to catch anything.

I understand all of this is due to the ability of the container to execute commands, but, is there something more that let people bypass the auth layer?

I don't know how heavily you edited the original repo code, but if u have few minutes to spare, just skim them to check that the problem is due exclusively to the ability to execute code alone or if there is something more.

Anyway, thanks a lot for the hard work and for the fast replies to all the issues!

[gtsteffaniak]

I'm not sure the circumstances for the issue you encountered but my opinion from the start was the runner/CLI executor feature on the OG FileBrowser is a massive security hole.

It's hard to understate the ease and straight forward ability to completely hijack a machine when that feature is enabled. Literally anything is possible.

That was one of the first things I removed when I created this fork. I also mentioned it several times on there issues, but that repo is basically dead at this point.

I am working to make this version fully a replacement, but I am still missing a couple important features I plan to add in the next month or so.

But I'm very busy with work and have had a lot less time to focus on this.

You should still be able to use the OG FileBrowser and disable runners with the cli flag... Or you can keep using this repo :) and report issues here when you find them!