Path Traversal/Deletion Vulnerability In Pydio/AjaXplorer 5.0.3 – 3.3.5

Background:

Pydio allows you to instantly turn any server into a powerful file sharing platform. Formerly known as AjaXplorer

Description of vulnerability:

There is a path traversal vulnerability in one of the plugins that is distributed with Pydio/AjaXplorer 5.0.3 core to 3.3.5.

An attacker may use this vulnerability to retrieve arbitrary information from the server. Or arbitrarily delete files that the application has access to.

Details:

/plugins/editor.zoho/agent/save_zoho.php

The zoho plugin location it isn't protected from direct access and will allow file inclusions/path traversal attacks.

Files that the application has access to will also be unlinked. Exploiting this vulnerability does not require authentication.

CVE:

The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2013-6226 to this issue. This is a candidate for inclusion in the CVE list.

Vendor Response:

Upgrade to Pydio v5.0.4 or higher. http://pyd.io/pydio-core-5-0-4/

Timeline:

October 10, 2013, Vulnerability identified
October 10, 2013, Vendor Notified
October 10, 2013, Vendor initial patch review
October 10, 2013, Patch released
November 10, 2013, Disclosure

Research:

Craig Arendt (Redfsec)
http://www.redfsec.com/CVE-2013-6226