Heitor Gouvêa

Home Projects About


CVE-2019-15032 - Username Leak via Improper Error Handling on Pydio Community


Summary

The Pydio is a “modern file management platform built according to your business needs and regulations” and with the CVE-2019-15002 an attacker can use one of its main features to send a specific payload to force internal errors that consequently leaks user names from the application.


Description

Pydio’s main functionality is file upload and sharing. One way to upload is through the “Remote Server” feature, where Pydio makes a request to a remote server on the Internet and downloads the file.

Pydio Upload File Form

The problem here is that Pydio does not handle filters properly on the input of this data, allowing a malicious user to enter a URL to an internal address (see also CVE-2019-15033), such as: http://localhost

-

And Pydio, in an unsuccessful attempt to make such a request, eventually needs to provide a response to the user. However this response is not well-structured, resulting in the server’s internal folder path leaking and even stating the username who created this folder:

Pydio Error Handling

-

For a better understanding, we can analyze the request below:

Pydio Error Handling Request


Impact

This vulnerability could serve as a helper for other vulnerabilities and thus is become even more critical; An example of this is brute-force attacks in an attempt to crack the password of leaked usernames by exploiting this vulnerability.

This vulnerability could be exploited without authentication because another feature of Pydio is the creation and making of folders available for third parties to upload and download files.


Mitigation

Upgrade your Pydio application to last version available.


Referencies