Multiple Vulnerabilities in Pydio Cells [1.4.1]
20 June , 2019
Product Details
Pydio Cells is a transition application for managing your files on a Pydio Cells 1.2.X server (both Home and Enterprise editions), until main applications Pydio and Pydio Pro are ready for Cells servers.
URL: https://pydio.com/
Vulnerability Details
During our research we discovered few severe security vulnerabilities in Pydio cells, affecting the complete CIA triad.
List of Vulnerabilities:
❏ Path/Directory Traversal
❏ Data retrieval after deletion of user
❏ Database Table/column enumeration
Vulnerable Versions
1.4.1
Analysis
[1] Vulnerability – Path/Directory Traversal
CVE-2019-12901
Vulnerability Description –
An attacker by utilizing`../` elements is able to traverse back to the
other writable directories & perform unprivileged actions.
Impact –
An attacker with minimum privilege, is able to Upload files to & Delete files/folders from an unprivileged directory, compromising the Integrity of the application.
[2] Vulnerability – Data retrieval after deletion of user
CVE-2019-12902
Vulnerability Description –
A new user, holding the same `User ID` of a deleted user, would be able to restore the deleted users data.
Impact –
An attacker would be able to retrieve unauthorized data.
[3] Vulnerability – Database Table/column name enumeration
CVE-2019-12903
Vulnerability Description –
– Upon saving the Users `Name` field (My Account), as a non-utf8 character (4 bytes character), the application throws an error, as it expects an utf8 character which is of 3 bytes. As part of the error, it exposes few sensitive information such as database table, column name.
Impact –
An attacker can enumerate sensitive information such a database table & column names
Timeline
Vendor Disclosure: 2019-4-5
Public Disclosure: 2019-6-20
Credit
Discovered by ACE Team – Loginsoft