Earlier this year I was asked to perform an OWASP ASVS (Application Security Verification Standard) with a colleague on a client's deployment of the web-based file-sharing software Pydio. After getting my feet wet looking at the codebase, my interest was piqued in the platform and decided to independently research the software for vulnerabilities.
The following vulnerability disclosure is a detailed account of my findings. Four areas of weakness were identified: multiple XSS flaws, a credentialed SSRF flaw, multiple methods to discover the remote version of the software, and a credentialed Remote Code Execution flaw. After discussion with the Pydio developers, two of the flaws were fixed in the 8.2.1 release. The remaining issues were not addressed due to the reasons discussed in the disclosure. A workaround is included for one of these issues, providing additional protections for those who may require it.
Update October 2018: The vendor has released Pydio 8.2.2, which includes an official fix for the credentialed Remote Code Execution flaw. The disclosure has been updated to reflect the new release.
My experience working with the Pydio developers was positive, and I applaud them for responsiveness to the findings.
As with any web application, security can't be achieved only via patching. Deploying in a hardened server environment that includes protections like sandboxing and employing a tuned Web Application Firewall is essential, so that if 0-day vulnerabilities are found, layers of protections are still facing a would-be attacker.
Direct link to disclosure: Pydio-8-VulnerabilityDisclosure-Jul18.txt
Updated: Oct 22, 2018
Posted: Jul 23, 2018
Keyword tags: vulnerability disclosurepydiosecurityweb security