Path Traversal/Deletion Vulnerability In Pydio/AjaXplorer 5.0.3 – 3.3.5
Pydio allows you to instantly turn any server into a powerful file sharing platform. Formerly known as AjaXplorer
Description of vulnerability:
There is a path traversal vulnerability in one of the plugins that is distributed with Pydio/AjaXplorer 5.0.3 core to 3.3.5.
An attacker may use this vulnerability to retrieve arbitrary information from the server. Or arbitrarily delete files that the application has access to.
The zoho plugin location it isn't protected from direct access and will allow file inclusions/path traversal attacks.
Files that the application has access to will also be unlinked. Exploiting this vulnerability does not require authentication.
The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2013-6226 to this issue. This is a candidate for inclusion in the CVE list.
Upgrade to Pydio v5.0.4 or higher. http://pyd.io/pydio-core-5-0-4/