Vulnerability in Pydio/AjaXplorer < = 5.0.3
============
Background:
Pydio allows you to instantly turn any server into a powerful file sharing platform. Formerly known as AjaXplorer
============
Description of vulnerability
There is an unrestricted upload capability, in one of the plugins that is distributed with Pydio 5.0.3 core to AjaXplorer 3.3.5.
Details:
/plugins/editor.zoho/agent/save_zoho.php
The uploaded file through $_FILES to save_zoho.php will be moved to a path that the user can control with the format parameter passed from the user. Because the file formats allowed are not restricted, and is also used in a move path, this can be used to upload arbitrary files to the server.
============
CVE:
The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2013-6226 to this issue. This is a candidate for inclusion in the CVE list.
============
Vendor Response:
Upgrade to Pydio v5.0.4 or higher.
http://pyd.io/pydio-core-5-0-4/
Craig Arendt (redfsec)
http://www.redfsec.com/CVE-2013-6227