# FileCloud ## Docker Install ```bash kdev :: /opt » sudo mkdir filecloud-dev && sudo chown -R void:void filecloud-dev kdev :: /opt » cd filecloud-dev kdev :: /opt/filecloud-dev » mkdir fcdata dbdata solrdata kdev :: /opt/filecloud-dev » docker pull filecloud/fileclouddocker kdev :: /opt/filecloud-dev » sudo docker run --privileged -d -p 443:443 -p 80:80 -v fcdata:/opt/fileclouddata -v dbdata:/var/lib/mongodb -v solrdata:/opt/solrfcdata/var/solr -v htmldata:/var/www/html --name filecloud-dev filecloud/fileclouddocker:latest /lib/systemd/system ``` * Admin URL: `http://localhost/ui/admin/index.html` OR `/admin2/index.html` * Default Creds: `admin:password` * Default Creds AWS: `admin:` * Default API Key: `apipassword` * SMTP Host: `smtpcorp.com:2525` * Default SMTP Creds: `fcdemo242:1iuh0HiJKWjuE` * AWS Install Check: `https:///install` Make sure to lockdown `/install` as it shows basic and **extended** installation information, such as running user, PHP version etc. * 30-day trial license file downloadable from: `https://portal.getfilecloud.com/ui/user/index.html#/login` *** ## App Settings Config file: `/var/www/html/config/cloudconfig.php` ### Initialize Storage **Local Storage:** *Settings > Storage > Storage Path:* `/opt/fileclouddata` **AWS Storage**: ```bash root@379bbdf43c2a:/var/www/html/config# cp amazons3storageconfig-sample.php amazons3storageconfig.php root@379bbdf43c2a:~# vim /var/www/html/config/cloudconfig.php define("TONIDOCLOUD_STORAGE_IMPLEMENTATION", "amazons3"); ``` Settings > Storage .. * S3 Key: `YOUR-S3-KEY` * S3 Secret: `YOUR-S3-SECRET` * S3 Bucket Name: `YOUR-BUCKET-NAME` * S3 Encryption > Manage > Enable encryption > OK ### User Authentication *Users > Add User* Option for both local- and Active Directory authentication. Minimum password length is set in `cloudconfig.php` (`define("TONIDO_MIN_PASSWORD_STRENGTH", 14);`) or through the web ui *Settings > Misc > Password > Minimum password length*. Local users are stored in local mongodb database. ```bash root@379bbdf43c2a:/var/lib/mongodb# mongosh config> show dbs admin 40.00 KiB config 108.00 KiB local 72.00 KiB tonidoauditdb 160.00 KiB tonidoclouddb 1.45 MiB tonidopushservicedb 96.00 KiB tonidosettings 284.00 KiB tonidostoragedb 316.00 KiB tonidosyncdb 100.00 KiB tonidostoragedb> use tonidosettings tonidoauditdb> show collections ... users tonidoclouddb> db.users.find() [ { _id: ObjectId('68776b4dc873b634d20e14d5'), createdon: ISODate('2025-07-14T09:05:17.587Z'), verified: '1', sharemode: 0, source: 0, username: 'test', emailid: 'test@local.host', salt: '', password: '$pbkdf2-sha512$120000$9vHc.lirvYR5gTtVmamYGQ$19kh8qGYxRyotWwu7j7NtkQ31mXnDRIV2.oz8lZaXWA06Lc1orK1JaHfufeRQiLbC0611POxV1hQsabf9/Z6MA', passwordexpireson: null, requirepasswordchange: '1', displayname: 'test', displaynamelower: 'test', verifytag: '', status: 1, lastlogindate: '', authtype: 0, teamfolder: 0, authcontext: '' } ] ``` ### Server URL Settings > Sever > Service URL: `http://localhost` ### Secure Cookie (when using HTTPS) Set `TONIDOCLOUD_SECURE_COOKIE` to `1`. ```bash root@379bbdf43c2a:~# vim /var/www/html/config/cloudconfig.php define("TONIDOCLOUD_SECURE_COOKIE", 1); ``` *** ## Features ### FileCloud Drive `FlieCloud Drive` allows the end users to mount a network share on their computer, files put in this share will be hosted on the FileCloud server and is easily sharable through their `Share link` feature.

A window is opened automatically allowing the user to set expiry date and time, maximum number of downloads, password protection and more.

**Note:** In FileCloud version 23.241 or later, the Default Share Type is Private Share. Prior to FileCloud 23.241, the Default Share Type was Public Share. Meaning in version 23.241 or later users are only allowed to share files with other, authenticated users. To allow Public Shares an **administrator** must either change the Global Default Policy (*Settings > Policies > Edit Policy > Share Mode: Allow All Shares*), or create a new custom policy per user/group/team/share basis. After changing the Policy users are now able to share folders and/or files through a password protected download link as seen in the images above. An administrator can also change the global share setting to Public through *Settings > Misc > Share > Default share type > Public Share*. If *Send Email Notifications* is enabled the user will get a email when the resource is downloaded. If the option is not enabled the user can see recent activity in the *Activity panel* on the right side when browsing the share.

``` ``` *** ## Security ### Disallowed file extensions *Settings > Misc > General* Default disallowed extensions: `php|php5|phar|phtml|php7|htaccess` ### Extract uploaded files From the configuration we set the local storage path to `/opt/fileclouddata`. Browsing the share we find all uploaded files in the new .dat file format. ```bash root@379bbdf43c2a:/tmp# ls -al /opt/fileclouddata/687773663b2d9795422232/687773663e10f169844791/ total 16 drwxr-xr-x 2 www-data www-data 4096 Jul 16 10:46 . drwxr-xr-x 3 www-data www-data 4096 Jul 16 09:39 .. -rw-r--r-- 1 www-data www-data 106 Jul 16 09:39 687773663ab79706791804.dat -rw-r--r-- 1 www-data www-data 20 Jul 16 10:46 687782e92bfae130894299.dat ``` By default all files are stored unencrypted and can easily be recovered by simply copying them. ```bash root@379bbdf43c2a:/tmp# cp /opt/fileclouddata/687773663b2d9795422232/687773663e10f169844791/687773663ab79706791804.dat /tmp/win_whoami-ps root@379bbdf43c2a:/tmp# cat /tmp/win_whoami-ps REM Windows Powershell poc DELAY 1000 GUI x DELAY 500 STRING a DELAY 500 \ARROW_L DELAY 500 whoami \ENTER ``` With a server containing thousands of files this is cumbersome, instead we can target sensitive files through the database. ```bash root@379bbdf43c2a:/# mongosh test> show dbs ... tonidostoragedb 652.00 KiB test> use tonidostoragedb tonidostoragedb> show collections ... items tonidostoragedb> db.items.find( ... { type: "file" }, // Filter: only type = file ... { _id: 0, name: 1, owner: 1, size: 1, storedpath: 1 } // Projection: include only selected fields ... ) [ { name: 'win_whoami-ps', owner: 'test', size: 106, storedpath: '0/687773663b2d9795422232/687773663e10f169844791/687773663ab79706791804.dat' }, { name: 'info.php3', owner: 'test', size: 20, storedpath: '0/687773663b2d9795422232/687773663e10f169844791/687782e92bfae130894299.dat' } ] ``` ### In-browser file preview FileCloud supports in-browser file previews using QuickJS Preview and/or LibreOffice. This has resulted in vulnerabilities in the past, for example [CVE-2025-26127](https://github.com/pentesttoolscom/vulnerability-research/tree/master/CVE-2025-26127) affecting FileCloud < v23.241.2 where authenticated users could hijack sessions through stored XSS. With this in mind it is interesting that the default disallowed extensions cover `php` and `php5`, but not php_n. Will FileCloud render a `phpinfo()` file with the extension `php3`?