CVE-2013-6227
published 2014-12-27CVE-2013-6227: Unrestricted file upload vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote…
PriorityP258high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
7.96%
94.0th percentile
Unrestricted file upload vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote attackers to execute arbitrary code by uploading an executable file, and then accessing this file at a location specified by the format parameter of a move operation.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ajaxplorer | ajaxplorer | <= 5.0.3 | — |
| pydio | pydio | <= 5.0.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://<host>/plugins/editor.zoho/agent/save_zoho.php?ajxp_action=get_file&name=../../../../../../../../etc/passwd↗
urlhttp://<host>/plugins/editor.zoho/agent/save_zoho.php?id=&format=./../../../data/files/test.html↗
commandcurl -F 'content=@<file>;type=<mime>;filename=\"<file>\"' "http://<host>/plugins/editor.zoho/agent/save_zoho.php?id=<id>&format=<traversal_path>"↗
commandcurl "http://<host>/plugins/editor.zoho/agent/save_zoho.php?ajxp_action=get_file&name=<traversal_path>"↗
- →Monitor HTTP requests to save_zoho.php containing directory traversal sequences (e.g., '../') in the 'format' parameter, indicating an attempted arbitrary file upload via path traversal. ↗
- →Alert on HTTP GET/POST requests to save_zoho.php with the query parameter 'ajxp_action=get_file' combined with directory traversal sequences in the 'name' parameter, indicating arbitrary file read/delete exploitation. ↗
- →Detect multipart/form-data POST requests to /plugins/editor.zoho/agent/save_zoho.php with executable file content (e.g., PHP webshells) as the 'content' field, which may indicate a webshell upload attempt. ↗
- →Watch for unexpected new files appearing under /data/files/ that were not created through normal application workflows, especially files with executable extensions, as the default drop location for traversal-based uploads. ↗
- ·The directory traversal file upload (Option 1 / 'format' parameter) requires the attacker to have write permission on the target directory. Exploitation is limited to paths writable by the web server process user. ↗
- ·The arbitrary file read via 'ajxp_action=get_file' is destructive: the retrieved file is permanently deleted (unlinked) after being read, if the file is writable by the web server process. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2014-12-27
Published