FileRise shared-folder upload path traversal allows arbitrary file write and admin takeover

An attacker who possesses a valid, non-expired, upload-enabled shared-folder link/token (which are designed to be shared publicly) can exploit the path traversal vulnerability. The filename validation permits URL-encoded sequences like `..%2fusers%2fusers.txt` because the regex blocks literal `/` and `\` but not `%`. After validation, `urldecode()` reconstructs the path separators, resulting in `../users/users.txt`. The extension policy only checks the final component (`users.txt`), so the traversal sequence passes. The file is then written outside the intended upload directory via `move_uploaded_file()`, allowing overwrite of `users/users.txt` to create an administrator account, leading to unauthenticated admin takeover and potentially remote code execution [CWE-22].

The vulnerability resides in the shared-folder upload endpoint `/api/folder/uploadToSharedFolder.php`. The filename is validated by `FolderController` using `basename()` and `REGEX_FILE_NAME`, which block `/` and `\` but not URL-encoded sequences. The raw filename is then passed to `UploadModel::handleUpload`, where it is reconstructed as `trim(urldecode(basename($fileName)))`, re-introducing path separators after validation. `UploadNamePolicy::isAllowedForWrite()` applies `basename()` internally and only evaluates the final component, allowing traversal sequences to pass the extension policy. The destination path is used directly in `move_uploaded_file()` with no `realpath` containment check.

The advisory states the issue is fixed in version 3.16.0. The fix URL-decodes the filename before validation and rejects any path separators in the upload filename. This ensures that URL-encoded traversal sequences like `%2f` are decoded and detected as path separators before the filename is used in file operations, preventing the bypass. The patch does not show the exact code diff, but the remediation guidance is clear: decode before validating and reject path separators.