FileCloud

Docker Install

kdev :: /opt » sudo mkdir filecloud-dev && sudo chown -R void:void filecloud-dev
kdev :: /opt » cd filecloud-dev 
kdev :: /opt/filecloud-dev » mkdir fcdata dbdata solrdata
kdev :: /opt/filecloud-dev » docker pull filecloud/fileclouddocker
kdev :: /opt/filecloud-dev » sudo docker run --privileged -d -p 443:443 -p 80:80 -v fcdata:/opt/fileclouddata -v dbdata:/var/lib/mongodb -v solrdata:/opt/solrfcdata/var/solr -v htmldata:/var/www/html --name filecloud-dev filecloud/fileclouddocker:latest /lib/systemd/system

• Admin URL: http://localhost/ui/admin/index.html OR /admin2/index.html

• Default Creds: admin:password

• Default Creds AWS: admin:<instant-id>

• Default API Key: apipassword

• SMTP Host: smtpcorp.com:2525

• Default SMTP Creds: fcdemo242:1iuh0HiJKWjuE

• AWS Install Check: https://<aws-public-dns>/install

Make sure to lockdown /install as it shows basic and extended installation information, such as running user, PHP version etc.

• 30-day trial license file downloadable from: https://portal.getfilecloud.com/ui/user/index.html#/login

---

App Settings

Config file: /var/www/html/config/cloudconfig.php

Initialize Storage

Local Storage: Settings > Storage > Storage Path: /opt/fileclouddata

AWS Storage:

root@379bbdf43c2a:/var/www/html/config# cp amazons3storageconfig-sample.php amazons3storageconfig.php
root@379bbdf43c2a:~# vim /var/www/html/config/cloudconfig.php
define("TONIDOCLOUD_STORAGE_IMPLEMENTATION", "amazons3");

Settings > Storage ..

• S3 Key: YOUR-S3-KEY

• S3 Secret: YOUR-S3-SECRET

• S3 Bucket Name: YOUR-BUCKET-NAME

• S3 Encryption > Manage > Enable encryption > OK

User Authentication

Users > Add User

Option for both local- and Active Directory authentication.

Minimum password length is set in cloudconfig.php (define("TONIDO_MIN_PASSWORD_STRENGTH", 14);) or through the web ui Settings > Misc > Password > Minimum password length.

Local users are stored in local mongodb database.

root@379bbdf43c2a:/var/lib/mongodb# mongosh
config> show dbs
admin                 40.00 KiB
config               108.00 KiB
local                 72.00 KiB
tonidoauditdb        160.00 KiB
tonidoclouddb          1.45 MiB
tonidopushservicedb   96.00 KiB
tonidosettings       284.00 KiB
tonidostoragedb      316.00 KiB
tonidosyncdb         100.00 KiB

tonidostoragedb> use tonidosettings
tonidoauditdb> show collections
...
users

tonidoclouddb> db.users.find()
[
  {
    _id: ObjectId('68776b4dc873b634d20e14d5'),
    createdon: ISODate('2025-07-14T09:05:17.587Z'),
    verified: '1',
    sharemode: 0,
    source: 0,
    username: 'test',
    emailid: 'test@local.host',
    salt: '',
    password: '$pbkdf2-sha512$120000$9vHc.lirvYR5gTtVmamYGQ$19kh8qGYxRyotWwu7j7NtkQ31mXnDRIV2.oz8lZaXWA06Lc1orK1JaHfufeRQiLbC0611POxV1hQsabf9/Z6MA',
    passwordexpireson: null,
    requirepasswordchange: '1',
    displayname: 'test',
    displaynamelower: 'test',
    verifytag: '',
    status: 1,
    lastlogindate: '',
    authtype: 0,
    teamfolder: 0,
    authcontext: ''
  }
]

Server URL

Settings > Sever > Service URL: http://localhost

Secure Cookie (when using HTTPS)

Set TONIDOCLOUD_SECURE_COOKIE to 1.

root@379bbdf43c2a:~# vim /var/www/html/config/cloudconfig.php
define("TONIDOCLOUD_SECURE_COOKIE", 1);

---

Features

FileCloud Drive

FlieCloud Drive allows the end users to mount a network share on their computer, files put in this share will be hosted on the FileCloud server and is easily sharable through their Share link feature.

A window is opened automatically allowing the user to set expiry date and time, maximum number of downloads, password protection and more.

Note: In FileCloud version 23.241 or later, the Default Share Type is Private Share. Prior to FileCloud 23.241, the Default Share Type was Public Share.

Meaning in version 23.241 or later users are only allowed to share files with other, authenticated users.

To allow Public Shares an administrator must either change the Global Default Policy (Settings > Policies > Edit Policy > Share Mode: Allow All Shares), or create a new custom policy per user/group/team/share basis.

After changing the Policy users are now able to share folders and/or files through a password protected download link as seen in the images above.

An administrator can also change the global share setting to Public through Settings > Misc > Share > Default share type > Public Share.

If Send Email Notifications is enabled the user will get a email when the resource is downloaded. If the option is not enabled the user can see recent activity in the Activity panel on the right side when browsing the share.

---

Security

Disallowed file extensions

Settings > Misc > General

Default disallowed extensions: php|php5|phar|phtml|php7|htaccess

Extract uploaded files

From the configuration we set the local storage path to /opt/fileclouddata. Browsing the share we find all uploaded files in the new .dat file format.

root@379bbdf43c2a:/tmp# ls -al /opt/fileclouddata/687773663b2d9795422232/687773663e10f169844791/    
total 16
drwxr-xr-x 2 www-data www-data 4096 Jul 16 10:46 .
drwxr-xr-x 3 www-data www-data 4096 Jul 16 09:39 ..
-rw-r--r-- 1 www-data www-data  106 Jul 16 09:39 687773663ab79706791804.dat
-rw-r--r-- 1 www-data www-data   20 Jul 16 10:46 687782e92bfae130894299.dat

By default all files are stored unencrypted and can easily be recovered by simply copying them.

root@379bbdf43c2a:/tmp# cp /opt/fileclouddata/687773663b2d9795422232/687773663e10f169844791/687773663ab79706791804.dat /tmp/win_whoami-ps
root@379bbdf43c2a:/tmp# cat /tmp/win_whoami-ps 
REM Windows Powershell poc
DELAY 1000
GUI x
DELAY 500
STRING a
DELAY 500
\ARROW_L
DELAY 500
whoami
\ENTER

With a server containing thousands of files this is cumbersome, instead we can target sensitive files through the database.

root@379bbdf43c2a:/# mongosh
test> show dbs
...
tonidostoragedb      652.00 KiB

test> use tonidostoragedb
tonidostoragedb> show collections
...
items

tonidostoragedb> db.items.find(
...   { type: "file" }, // Filter: only type = file
...   { _id: 0, name: 1, owner: 1, size: 1, storedpath: 1 } // Projection: include only selected fields
... )
[
  {
    name: 'win_whoami-ps',
    owner: 'test',
    size: 106,
    storedpath: '0/687773663b2d9795422232/687773663e10f169844791/687773663ab79706791804.dat'
  },
  {
    name: 'info.php3',
    owner: 'test',
    size: 20,
    storedpath: '0/687773663b2d9795422232/687773663e10f169844791/687782e92bfae130894299.dat'
  }
]

In-browser file preview

FileCloud supports in-browser file previews using QuickJS Preview and/or LibreOffice. This has resulted in vulnerabilities in the past, for example CVE-2025-26127 affecting FileCloud < v23.241.2 where authenticated users could hijack sessions through stored XSS.

With this in mind it is interesting that the default disallowed extensions cover php and php5, but not php_n. Will FileCloud render a phpinfo() file with the extension php3?