cbcvebase.
CVE-2013-6227
published 2014-12-27

CVE-2013-6227: Unrestricted file upload vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote…

PriorityP258high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
7.96%
94.0th percentile
Unrestricted file upload vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote attackers to execute arbitrary code by uploading an executable file, and then accessing this file at a location specified by the format parameter of a move operation.

Affected

2 ranges
VendorProductVersion rangeFixed in
ajaxplorerajaxplorer<= 5.0.3
pydiopydio<= 5.0.3

Detection & IOCsextracted from sources · hover to see the quote

path/plugins/editor.zoho/agent/save_zoho.php
path/plugins/editor.zoho/agent/files
urlhttp://<host>/plugins/editor.zoho/agent/save_zoho.php?ajxp_action=get_file&name=../../../../../../../../etc/passwd
urlhttp://<host>/plugins/editor.zoho/agent/save_zoho.php?id=&format=./../../../data/files/test.html
commandcurl -F 'content=@<file>;type=<mime>;filename=\"<file>\"' "http://<host>/plugins/editor.zoho/agent/save_zoho.php?id=<id>&format=<traversal_path>"
commandcurl "http://<host>/plugins/editor.zoho/agent/save_zoho.php?ajxp_action=get_file&name=<traversal_path>"
  • Monitor HTTP requests to save_zoho.php containing directory traversal sequences (e.g., '../') in the 'format' parameter, indicating an attempted arbitrary file upload via path traversal.
  • Alert on HTTP GET/POST requests to save_zoho.php with the query parameter 'ajxp_action=get_file' combined with directory traversal sequences in the 'name' parameter, indicating arbitrary file read/delete exploitation.
  • Detect multipart/form-data POST requests to /plugins/editor.zoho/agent/save_zoho.php with executable file content (e.g., PHP webshells) as the 'content' field, which may indicate a webshell upload attempt.
  • Watch for unexpected new files appearing under /data/files/ that were not created through normal application workflows, especially files with executable extensions, as the default drop location for traversal-based uploads.
  • ·The directory traversal file upload (Option 1 / 'format' parameter) requires the attacker to have write permission on the target directory. Exploitation is limited to paths writable by the web server process user.
  • ·The arbitrary file read via 'ajxp_action=get_file' is destructive: the retrieved file is permanently deleted (unlinked) after being read, if the file is writable by the web server process.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.