Pydio Zoho Editor Directory Traversal and File Upload Vulnerabilities
Description
Craig Arendt has discovered two vulnerabilities in Pydio, which can be exploited by malicious people to disclose potentially sensitive information, manipulate certain data, and compromise a vulnerable system.
1) Input passed via the "name" parameter to /plugins/editor.zoho/agent/save_zoho.php (when "ajxp_action" is set to "get_file") is not properly sanitised before being used to download and delete files. This can be exploited to download or delete arbitrary files via directory traversal sequences.
2) Input passed via the "id" and "format" parameters to /plugins/editor.zoho/agent/save_zoho.php is not properly verified before being used to upload files inside the webroot. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script.
The vulnerabilities are confirmed in version 5.0.3. Prior versions may also be affected.
