Title : Multiple Flaws Found in Pydio 8 Author: Mike Gualtieri :: https://www.mike-gualtieri.com Date : 2018-04-26 Rev 1 : 2018-05-24 Rev 2 : 2018-07-16 Rev 3 : 2018-07-23 Rev 4 : 2018-10-22 Vendor Affected: Pydio :: https://pydio.com/ Versions Affected: 8.2.0 and prior; 8.2.1 and prior CVE ID's Assigned: CVE-2018-1999016, CVE-2018-1999017, CVE-2018-1999018 1. Overview Multiple remote security issues have been found in Pydio 8, which can aid an attacker in stealing sensitive data, execute arbitrary code, and utilize the software as a pivot point for further attack. 2. Detail Following a recent OWASP ASVS evaluation of Pydio conducted by Aaron Melhorn of O2 Digital Creative Agency and Mike Gualtieri of Eris Interactive Group, researcher Mike Gualtieri performed an independent review of the Pydio 8.0.2 codebase. Multiple flaws were found, detailed below, including: - XSS flaws in packaged /core/vendor samples - An authenticated SSRF flaw - Multiple version disclosure flaws - An authenticated RCE flaw Rev 1: With the release of Pydio 8.2.0, this advisory has been updated and tested with the latest release. An additional Remote Code Execution issue has been found and has been added to this revision. Rev 2: With the release Pydio 8.2.1, this advisory has been updated and tested with the latest release. The XSS and SSRF issue have been verified as fixed. Rev 3: CVE ID's have been assigned for three of the following issues. The text has been updated to reflect the assignment. Rev 4: With the release Pydio 8.2.2, this advisory has been updated and tested with the latest release. The authenticated RCE issue in the antivirus plugin has been verified as fixed. 2a. XSS (Cross Site Scripting) flaws - CVE-2018-1999016 The following sections of code included in the Pydio codebase provide an unauthenticated remote attacker a method for XSS by manipulating the PHP_SELF parameter. XSS flaws allow an attacker to manipulate client-side code to carry out targeted spear-phishing attacks or a method to steal site data and/or cookies. File: ./core/vendor/meenie/javascript-packer/example-inline.php Line 48: