GHSA-qmfx-75ff-8mw6: 
vulnerability analysis and mitigation

A high-severity security vulnerability was identified in prosody-filer versions prior to 1.0.1, tracked as GHSA-qmfx-75ff-8mw6. The vulnerability allows unauthorized directory listing of download directories, enabling attackers to view previous uploads of users by manipulating URL paths (GitHub Advisory).

The vulnerability stems from improper access controls in the file management system, where attackers could bypass intended restrictions by shortening URLs and accessing subdirectories other than the designated /upload/ directory (or user-defined root directory). This security flaw was addressed in version 1.0.1, which implemented stricter access controls to only allow direct file access with known full paths (GitHub Advisory).

The vulnerability enables unauthorized access to user uploads, potentially exposing sensitive files and information stored in the upload directories. Attackers could enumerate and view previously uploaded files of any user by manipulating the URL structure (GitHub Advisory).

Users should upgrade to prosody-filer version 1.0.1 or later, which blocks directory listings entirely and only allows direct file access with known full paths. For those using the alternative Nginx configuration, it's crucial to set 'autoindex off;' in the configuration file under the upload location block (GitHub Advisory).