Multiple Vulnerabilities in Pydio Cells [1.4.1]

20 June , 2019

Product Details

Pydio Cells is a transition application for managing your files on a Pydio Cells 1.2.X server (both Home and Enterprise editions), until main applications Pydio and Pydio Pro are ready for Cells servers.

URL: https://pydio.com/

Vulnerability Details

During our research we discovered few severe security vulnerabilities in Pydio cells, affecting the complete CIA triad.

List of Vulnerabilities:

❏ Path/Directory Traversal
❏ Data retrieval after deletion of user
❏ Database Table/column enumeration

Vulnerable Versions

1.4.1

Analysis

[1] Vulnerability – Path/Directory Traversal

CVE-2019-12901

Vulnerability Description –

An attacker by utilizing`../` elements is able to traverse back to the
other writable directories & perform unprivileged actions.

Impact –
An attacker with minimum privilege, is able to Upload files to & Delete files/folders from an unprivileged directory, compromising the Integrity of the application.

[2] Vulnerability – Data retrieval after deletion of user

CVE-2019-12902

Vulnerability Description –

A new user, holding the same `User ID` of a deleted user, would be able to restore the deleted users data.

Impact –
An attacker would be able to retrieve unauthorized data.

[3] Vulnerability – Database Table/column name enumeration

CVE-2019-12903

Vulnerability Description –

– Upon saving the Users `Name` field (My Account), as a non-utf8 character (4 bytes character), the application throws an error, as it expects an utf8 character which is of 3 bytes. As part of the error, it exposes few sensitive information such as database table, column name.

Impact –
An attacker can enumerate sensitive information such a database table & column names

Timeline

Vendor Disclosure: 2019-4-5
Public Disclosure: 2019-6-20

Credit

Discovered by ACE Team – Loginsoft