CVE-2019-9642

Name of the Vulnerable Software and Affected Versions Pydio versions through 8.2.2

Description An issue was discovered in Pydio where it is possible to evaluate malicious PHP code through an unauthenticated request. This can be achieved by placing the malicious code on the fourth line of a .php file. For example, a PoC.php file created by the guest account can be executed via a request to the "proxy.php?hash=../../../../../var/lib/pydio/data/personal/guest/PoC.php" endpoint. This issue is related to the plugins/action.share/src/Store/ShareStore.php file.

Recommendations For Pydio versions through 8.2.2, consider restricting access to the proxy.php endpoint until a patch is available. As a temporary workaround, avoid using the proxy.php endpoint with unauthenticated requests.