mailing list archives
Vulnerability in Pydio/AjaXplorer <= 5.0.3
From: advisories () redfsec com
Date: Sun, 10 Nov 2013 14:00:39 GMT
Vulnerability in Pydio/AjaXplorer < = 5.0.3
Pydio allows you to instantly turn any server into a powerful file sharing platform. Formerly known as AjaXplorer
Description of vulnerability
There is a path traversal vulnerability in the zoho plugin that is distributed with Pydio/AjaXplorer 5.0.3 core to
An attacker may use this vulnerability to retrieve arbitrary information from the server. Or arbitrarily delete files
that the application has access to. Exploiting this vulnerability does not require authentication.
The zoho plugin location it isn't protected from direct access and will allow file inclusions/path traversal attacks
that will allow arbitrary local files to be accessed.
Files that the application has access to will also be unlinked (impact to integrity/availability).
The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2013-6226 to this issue. This is a candidate
for inclusion in the CVE list.
Upgrade to Pydio v5.0.4 or higher.
October 10, 2013, Vulnerability identified
October 10, 2013, Vendor Notified
October 10, 2013, Vendor initial patch review
October 10, 2013, Patch released
November 10, 2013, Disclosure
Craig Arendt (Redfsec)
- Vulnerability in Pydio/AjaXplorer <= 5.0.3 advisories (Nov 11)