[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Vulnerability in Pydio/AjaXplorer < = 5.0.3

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Vulnerability in Pydio/AjaXplorer < = 5.0.3
From: advisories@xxxxxxxxxxx
Date: Sun, 10 Nov 2013 14:20:56 GMT

Vulnerability in Pydio/AjaXplorer < = 5.0.3

============
Background:
Pydio allows you to instantly turn any server into a powerful file sharing 
platform. Formerly known as AjaXplorer

============
Description of vulnerability

There is an unrestricted upload capability, in one of the plugins that is 
distributed with Pydio 5.0.3 core to AjaXplorer 3.3.5.

An attacker may use this vulnerability to upload arbitrary files in a location 
that an attacker can control, and will allow remote code execution on the 
server. Exploiting this vulnerability does not require authentication.
============
Details:

/plugins/editor.zoho/agent/save_zoho.php

The uploaded file through $_FILES to save_zoho.php will be moved to a path that 
the user can control with the format parameter passed from the user. Because 
the file formats allowed are not restricted, and is also used in a move path, 
this can be used to upload arbitrary files to the server.

============
CVE:
The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2013-6226 to this issue. This is a candidate for inclusion in the CVE list.

============
Vendor Response:
Upgrade to Pydio v5.0.4 or higher.
http://pyd.io/pydio-core-5-0-4/

============
Timeline:
============
October 13, 2013: Vulnerability identified
October 14, 2013:  Vendor notified
October 14, 2013: Patch released
November 10, 2013: Disclosure
============
Research:
============
Craig Arendt (redfsec)
http://www.redfsec.com/CVE-2013-6227

Prev by Date: [ MDVSA-2013:265 ] kernel
Next by Date: Vulnerability in Pydio/AjaXplorer <= 5.0.3
Previous by thread: [ MDVSA-2013:265 ] kernel
Next by thread: Vulnerability in Pydio/AjaXplorer <= 5.0.3
Index(es):
- Date
- Thread