In a coordinated vulnerability disclosure released today, researchers at SecureAuth said they had found multiple vulnerabilities in Pydio 8 (version 8.2.2) that would grant access to a malicious actor who could then escalate privileges and get administrator access. Pydio reportedly released a fixed version last week.
With privileged access to the application, the attacker could then leverage a separate vulnerability. Using the privileges of the user account running the web server, an attacker could perform OS command injection in ImageMagick plugin. In addition, SecureAuth found a cross-site scripting in file view feature and two information disclosure vulnerabilities in unauthenticated Pydio and PHP libraries.
An attacker with administrator access and exploiting the OS command injection could access any file being synchronized and shared.
According to the advisory, the privilege escalation vector, CVE-2019-10049, is based in multiple vulnerabilities, and "by chaining vulnerabilities it is possible for an attacker with regular user access to the web application to attempt to trick an administrator user to open a link shared through the application."
Security researcher Ramiro Molina from SecureAuth security consulting services discovered the vulnerabilities, and Leandro Cuozzo from SecureAuth advisories team coordinated with Pydio in the publication of the disclosure.
"While important to productivity, file-sharing services that host, store, share or synchronize files across devices are targets for attackers due to the highly sensitive data that these files often contain – including business plans, financial information and even passwords," said Leandro Cuozzo, security researcher, SecureAuth.
"Research from McAfee shows file-sharing services store 39 percent of all corporate data uploaded to the cloud including highly sensitive information. Even though 64 percent of documents in file sharing services are not shared, they are still accessible by administrators. In this case, an attacker with administrator access and exploiting the OS command injection could access any file being synchronized and shared in a Pydio implementation.
"In addition to applying the latest patches, organizations should implement adaptive authentication to improve security and limit access to sensitive information in file-sharing services."