CVE-2019-15032 - Username Leak via Error Handling | Pydio Community

Summary

The Pydio is a “modern file management platform built according to your business needs and regulations.”

Description

Pydio’s main functionality is file upload and sharing. One way to upload is through the “Remote Server” feature, where Pydio makes a request to a remote server on the Internet and downloads the file.

Image

The problem here is that Pydio does not handle filters properly on the input of this data, allowing a malicious user to enter a URL to an internal address (see also CVE-2019-15033), such as: http://localhost

-

And Pydio, in an unsuccessful attempt to make such a request, eventually needs to provide a response to the user. However this response is not well-structured, resulting in the server’s internal folder path leaking and even stating the username who created this folder:

Image

-

For a better understanding, we can analyze the request below:

Image

This vulnerability could be exploited without authentication because another feature of Pydio is the creation and making of folders available for third parties to upload and download files.

This vulnerability could serve as a helper for other vulnerabilities and thus is become even more critical; An example of this is brute-force attacks in an attempt to crack the password of leaked usernames by exploiting this vulnerability.

Referencies


© 2019 Heitor Gouvêa. All rights reserved.