Greetings hackers; just quickly wanted to share an advisory write-up that my team discovered in Pydio Cells 4.2.0. These have been disclosed and we have been in very close communication with the vendor. We at DeepCove Cybersecurity (DCC) pride ourselves in providing a well-rounder and white-gloves approach to our security services; that the tools we use and recommend to our customers have undergone an extensive penetration test assessment to ensure its security.

Thanks to the rest of the team at DCC, with their help, our security researchers were able to identify a few zero days within the Pydio Cells service.

Timeline (2023):

May 10 — bugs discovered

May 11 — bugs reported and acknowledged

May 18 — hotfix is created by pydio and re-tested

May 22 — new patch is released by Pydio 4.2.1
(https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421)

May 30 — CVEs Assigned

When creating a shared user as a standard user, a parameter called “profile” is submitted with the HTTPS request. I identified that there was no access control in place. Knowing my current user role “standard”, we can change this parameter value from “shared” to “standard” — which resulted in the creation of a new standard user. Malicious user may create an arbitrary account within the pydio instance to maintain persistence in the organization. They may also be able to leverage this as data exfiltration strategy.

PoC:

1. Navigate to a folder/file/cell and click the person icon on the top right of the page
2. Create a new shared user and click “submit” while capturing the request with Burp
3. Change the “profile” attribute from “shared” to “standard” and login as a the new user to validate.

The application by design is not supposed to render HTML tags, and sanitizes some characters; however, embedding a combination of both <a and <img allows users to render HTML codes within the chat function. This can lead to the ability for users to post malicious links, files, images, and in some cases, XSS by embedding javascript code within the HTML tags.

Steps to reproduce:

1. Login to a standard user account with shared cell with other users.

2. Post a message containing the clickable link payload:

<a href=”http://google.com">

<img src=”image.jpg” alt=”Description of image” />

</a>

By forcing the “create user” request as a regular user, and giving the new user a naming convention using “/” (slash) will create a new group within the organization. From there, with a carefully crafted HTTPS request, the standard user can give read/write permissions to the group; which is later inherited to the new users within that group.

When “watching” a specific file in Pydio to set a notification of changes and deletion, the application submits the following HTTPS requests to subscribe/unsubscribe endpoints:

Changing the “UserId” parameter to a user “iggy3” or “admin” (both have admin roles), will unsubscribe them from the file they are currently subscribed to.

This proof of concept was done on “common files”; however, since there is currently no rate-limiting mechanism in the application (by design), a malicious user can potentially unsubscribe/subscribe the victim into arbitrary amount of files creating a spam-like notification.

In addition, a malicious actor can leverage this to modify uploaded files (threat to integrity) without admins or other users knowing it has been modified.