The Pydio is a “modern file management platform built according to your business needs and regulations” and with the CVE-2019-15002 an attacker can use one of its main features to send a specific payload to force internal errors that consequently leaks user names from the application.
Pydio’s main functionality is file upload and sharing. One way to upload is through the “Remote Server” feature, where Pydio makes a request to a remote server on the Internet and downloads the file.
The problem here is that Pydio does not handle filters properly on the input of this data, allowing a malicious user to enter a URL to an internal address (see also CVE-2019-15033), such as: http://localhost
And Pydio, in an unsuccessful attempt to make such a request, eventually needs to provide a response to the user. However this response is not well-structured, resulting in the server’s internal folder path leaking and even stating the username who created this folder:
For a better understanding, we can analyze the request below:
This vulnerability could serve as a helper for other vulnerabilities and thus is become even more critical; An example of this is brute-force attacks in an attempt to crack the password of leaked usernames by exploiting this vulnerability.
This vulnerability could be exploited without authentication because another feature of Pydio is the creation and making of folders available for third parties to upload and download files.
Upgrade your Pydio application to last version available.