Heitor Gouvêa
CVE-2019-15032 - Username Leak via Improper Error Handling on Pydio Community
Summary
The Pydio[1] is a “modern file management platform built according to your business needs and regulations” and with the CVE-2019-15002[2] an attacker can use one of its main features to send a specific payload to force internal errors that consequently leaks user names from the application.
Description
Pydio’s main functionality is file upload and sharing. One way to upload is through the “Remote Server” feature, where Pydio makes a request to a remote server on the Internet and downloads the file.
The problem here is that Pydio does not handle filters properly on the input of this data, allowing a malicious user to enter a URL to an internal address (see also CVE-2019-15033), such as: http://localhost
-
And Pydio, in an unsuccessful attempt to make the request, eventually needs to provide a response to the user, however this response is is an improper error handling[3], resulting in the server’s internal folder path leaking and even stating the username who created this folder:
-
For a better understanding, we can analyze the request below:
Impact
This vulnerability could serve as a helper for other vulnerabilities and thus is become even more critical; An example of this is brute-force attacks in an attempt to crack the password of leaked usernames by exploiting this vulnerability.
This vulnerability could be exploited without authentication because another feature of Pydio is the creation and making of folders available for third parties to upload and download files.
Mitigation
Upgrade your Pydio application to last version available.
Conclusion
An attacker, with authorized access to Pydio, can use this vulnerability to discover more information about the application, operating system and other information about the Stack structure used by the company. Thus, aligning this vulnerability with others, such as CVE-2019-15033 to cause impacts that may become relevant.