Background:
Pydio allows you to instantly turn any server into a powerful file sharing platform. Formerly known as AjaXplorer
============
Description of vulnerability
There is a path traversal vulnerability in the zoho plugin that is distributed with Pydio/AjaXplorer 5.0.3 core to 3.3.5.
Details:
/plugins/editor.zoho/agent/save_zoho.php
The zoho plugin location it isn't protected from direct access and will allow file inclusions/path traversal attacks that will allow arbitrary local files to be accessed.
Vendor Response:
Upgrade to Pydio v5.0.4 or higher.
http://pyd.io/pydio-core-5-0-4/
October 10, 2013, Vulnerability identified
October 10, 2013, Vendor Notified
October 10, 2013, Vendor initial patch review
October 10, 2013, Patch released
November 10, 2013, Disclosure
Craig Arendt (Redfsec)
http://www.redfsec.com/CVE-2013-6226