Earlier this year I was asked to perform an OWASP ASVS (Application Security Verification Standard) with a colleague on a client's deployment of the web-based file-sharing software Pydio. After getting my feet wet looking at the codebase, my interest was piqued in the platform and decided to independently research the software for vulnerabilities.
The following vulnerability disclosure is a detailed account of my findings. Four areas of weakness were identified: multiple XSS flaws, a credentialed SSRF flaw, multiple methods to discover the remote version of the software, and a credentialed Remote Code Execution flaw. After discussion with the Pydio developers, two of the flaws were fixed in the 8.2.1 release. The remaining issues were not addressed due to the reasons discussed in the disclosure. A workaround is included for one of these issues, providing additional protections for those who may require it.
Update October 2018: The vendor has released Pydio 8.2.2, which includes an official fix for the credentialed Remote Code Execution flaw. The disclosure has been updated to reflect the new release.
My experience working with the Pydio developers was positive, and I applaud them for responsiveness to the findings.
As with any web application, security can't be achieved only via patching. Deploying in a hardened server environment that includes protections like sandboxing and employing a tuned Web Application Firewall is essential, so that if 0-day vulnerabilities are found, layers of protections are still facing a would-be attacker.
Direct link to disclosure: Pydio-8-VulnerabilityDisclosure-Jul18.txt
Updated: Oct 22, 2018
Title : Multiple Flaws Found in Pydio 8
Author: Mike Gualtieri :: https://www.mike-gualtieri.com
Date : 2018-04-26
Rev 1 : 2018-05-24
Rev 2 : 2018-07-16
Rev 3 : 2018-07-23
Rev 4 : 2018-10-22
Vendor Affected: Pydio :: https://pydio.com/
Versions Affected: 8.2.0 and prior; 8.2.1 and prior
CVE ID's Assigned: CVE-2018-1999016, CVE-2018-1999017, CVE-2018-1999018
Multiple remote security issues have been found in Pydio 8, which can aid
an attacker in stealing sensitive data, execute arbitrary code, and utilize
the software as a pivot point for further attack.
Following a recent OWASP ASVS evaluation of Pydio conducted by Aaron Melhorn
of O2 Digital Creative Agency and Mike Gualtieri of Eris Interactive Group,
researcher Mike Gualtieri performed an independent review of the Pydio 8.0.2
codebase. Multiple flaws were found, detailed below, including:
- XSS flaws in packaged /core/vendor samples
- An authenticated SSRF flaw
- Multiple version disclosure flaws
- An authenticated RCE flaw
Rev 1: With the release of Pydio 8.2.0, this advisory has been updated and tested
with the latest release. An additional Remote Code Execution issue has been
found and has been added to this revision.
Rev 2: With the release Pydio 8.2.1, this advisory has been updated and tested with
the latest release. The XSS and SSRF issue have been verified as fixed.
Rev 3: CVE ID's have been assigned for three of the following issues. The
text has been updated to reflect the assignment.
Rev 4: With the release Pydio 8.2.2, this advisory has been updated and tested with
the latest release. The authenticated RCE issue in the antivirus plugin has been
verified as fixed.
2a. XSS (Cross Site Scripting) flaws - CVE-2018-1999016
The following sections of code included in the Pydio codebase provide an
unauthenticated remote attacker a method for XSS by manipulating the PHP_SELF
parameter. XSS flaws allow an attacker to manipulate client-side code to
carry out targeted spear-phishing attacks or a method to steal site data
Posted: Jul 23, 2018
Keyword tags: vulnerability disclosurepydiosecurityweb security