exploit the possibilities

Pydio / AjaXplorer 5.0.3 Shell Upload

Pydio / AjaXplorer 5.0.3 Shell Upload
Posted Nov 11, 2013
Authored by Craig Arendt

Pydio / AjaXplorer versions 5.0.3 and below suffer from an unrestricted upload functionality that allows for remote code execution.

tags | exploit, remote, code execution
advisories | CVE-2013-6227
MD5 | 1ef021fb65d261be067b8f81f81ac881

Pydio / AjaXplorer 5.0.3 Shell Upload

Change Mirror Download
Vulnerability in Pydio/AjaXplorer < = 5.0.3

============
Background:
Pydio allows you to instantly turn any server into a powerful file sharing platform. Formerly known as AjaXplorer

============
Description of vulnerability

There is an unrestricted upload capability, in one of the plugins that is distributed with Pydio 5.0.3 core to AjaXplorer 3.3.5.

An attacker may use this vulnerability to upload arbitrary files in a location that an attacker can control, and will allow remote code execution on the server. Exploiting this vulnerability does not require authentication.
============
Details:

/plugins/editor.zoho/agent/save_zoho.php

The uploaded file through $_FILES to save_zoho.php will be moved to a path that the user can control with the format parameter passed from the user. Because the file formats allowed are not restricted, and is also used in a move path, this can be used to upload arbitrary files to the server.

============
CVE:
The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2013-6226 to this issue. This is a candidate for inclusion in the CVE list.

============
Vendor Response:
Upgrade to Pydio v5.0.4 or higher.
http://pyd.io/pydio-core-5-0-4/

============
Timeline:
============
October 13, 2013: Vulnerability identified
October 14, 2013: Vendor notified
October 14, 2013: Patch released
November 10, 2013: Disclosure
============
Research:
============
Craig Arendt (redfsec)
http://www.redfsec.com/CVE-2013-6227
Login or Register to add favorites

File Archive:

April 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    17 Files
  • 2
    Apr 2nd
    2 Files
  • 3
    Apr 3rd
    2 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    15 Files
  • 7
    Apr 7th
    20 Files
  • 8
    Apr 8th
    16 Files
  • 9
    Apr 9th
    5 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    4 Files
  • 13
    Apr 13th
    15 Files
  • 14
    Apr 14th
    27 Files
  • 15
    Apr 15th
    19 Files
  • 16
    Apr 16th
    7 Files
  • 17
    Apr 17th
    1 Files
  • 18
    Apr 18th
    1 Files
  • 19
    Apr 19th
    19 Files
  • 20
    Apr 20th
    18 Files
  • 21
    Apr 21st
    30 Files
  • 22
    Apr 22nd
    18 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close