Pydio Cells 4.1.2 - Server-Side Request Forgery
Exploit Title: Pydio Cells 4.1.2 - Server-Side Request Forgery
Affected Versions: 4.1.2 and earlier versions
Fixed Versions: 4.2.0, 4.1.3, 3.0.12
Vulnerability Type: Server-Side Request Forgery
Security Risk: medium
Vendor URL: https://pydio.com/
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-005
Advisory Status: published
CVE: CVE-2023-32750
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32750
Introduction
============
"Pydio Cells is an open-core, self-hosted Document Sharing and
Collaboration platform (DSC) specifically designed for organizations
that need advanced document sharing and collaboration without security
trade-offs or compliance issues."
(from the vendor's homepage)
More Details
============
Using the REST-API of Pydio Cells it is possible to start jobs. For
example, when renaming a file or folder an HTTP request similar to the
following is sent:
------------------------------------------------------------------------
PUT /a/jobs/user/move HTTP/2
Host: example.com
User-Agent: agent
Accept: application/json
Authorization: Bearer G4ZRN[...]
Content-Type: application/json
Content-Length: 140
{
"JobName": "move",
"JsonParameters": "{\"nodes\":[\"cell/file.txt\"],\"target\":\"cell/renamed.txt\",\"targetParent\":false}"
}
------------------------------------------------------------------------
The body contains a JSON object with a job name and additional
parameters for the job. Besides the "move" job, also a job with the name
"remote-download" exists. It takes two additional parameters: "urls" and
"target". In the "urls" parameter, a list of URLs can be specified and in
the parameter "target" a path can be specified in which to save the
response. When the job is started, HTTP GET requests are sent from the
Pydio Cells server to the specified URLs. The responses are saved into a
file, which are uploaded to the specified folder within Pydio Cells.
Potential errors are transmitted in a WebSocket channel, which can be
opened through the "/ws/event" endpoint.
Proof of Concept
================
Log into Pydio Cells and retrieve the JWT from the HTTP requests. Then,
run the following commands to start a "remote-download" job to trigger
an HTTP request:
------------------------------------------------------------------------
$ export JWT="<insert JWT here>"
$ echo '{"urls": ["http://localhost:8000/internal.html"], "target": "personal-files"}' \
| jq '{"JobName": "remote-download", "JsonParameters": (. | tostring)}' \
| tee remote-download.json
$ curl --header "Authorization: Bearer $JWT" \
--header 'Content-Type: application/json' \
--request PUT \
--data @remote-download.json 'https://example.com/a/jobs/user/remote-download'
------------------------------------------------------------------------
The URL in the JSON document specifies which URL to request. The "target"
field in the same document specifies into which folder the response is saved.
Afterwards, the response is contained in a file in the specified folder.
Potential errors are communicated through the WebSocket channel.
Workaround
==========
Limit the services which can be reached by the Pydio Cells server, for
example using an outbound firewall.
Fix
===
Upgrade Pydio Cells to a version without the vulnerability.
Security Risk
=============
The risk is highly dependent on the environment in which the attacked
Pydio Cells instance runs. If there are any internal HTTP services which
expose sensitive data on the same machine or within the same network,
the server-side request forgery vulnerability could pose a significant
risk. In other circumstances, the risk could be negligible. Therefore,
overall the vulnerability is rated as a medium risk.
Timeline
========
2023-03-23 Vulnerability identified
2023-05-02 Customer approved disclosure to vendor
2023-05-02 Vendor notified
2023-05-03 CVE ID requested
2023-05-08 Vendor released fixed version
2023-05-14 CVE ID assigned
2023-05-16 Vendor asks for a few more days before the advisory is released
2023-05-30 Advisory released
References
==========
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/Pydio Cells 4.1.2 – Server-Side Request Forgery (SSRF) Vulnerability: A Deep Dive into CVE-2023-32750
Pydio Cells, a self-hosted document sharing and collaboration platform designed for enterprise environments, has recently come under scrutiny due to a critical Server-Side Request Forgery (SSRF) vulnerability affecting versions 4.1.2 and earlier. This flaw, identified as CVE-2023-32750, underscores the importance of securing internal APIs against unintended external access, particularly in cloud and hybrid deployment scenarios.
Understanding Server-Side Request Forgery (SSRF)
SSRF is a type of security vulnerability where an attacker can manipulate a server to make HTTP requests to arbitrary internal or external systems. Unlike client-side attacks, SSRF exploits the server's own capabilities to bypass network restrictions, potentially accessing sensitive internal services, retrieving confidential data, or even triggering remote code execution.
In the context of Pydio Cells, the vulnerability arises from the REST API endpoint used to initiate background jobs. Specifically, the /a/jobs/user/remote-download endpoint allows authenticated users to trigger HTTP GET requests to specified URLs, which are then saved to a user’s personal file system. This functionality, intended for remote file downloads, becomes a vector for exploitation when the URL input is not properly validated.
Exploitation Mechanics in Pydio Cells 4.1.2
The core of the vulnerability lies in the remote-download job, which accepts two parameters:
- urls: A list of URLs to fetch.
- target: The destination path within Pydio Cells where the downloaded content is stored.
When a job is initiated via the PUT request, Pydio Cells internally performs HTTP GET requests to each URL listed in urls. The server does not verify whether the URL is internal (e.g., http://localhost) or external. This lack of validation enables attackers to target internal services, such as:
- Internal admin interfaces
- Local databases
- Service discovery endpoints
- Configuration files exposed via localhost
Proof of Concept: Exploiting the SSRF Vulnerability
export JWT="G4ZRN[...]" # Replace with valid JWT from authenticated session
echo '{"urls": ["http://localhost:8000/internal.html"], "target": "personal-files"}' \
| jq '{"JobName": "remote-download", "JsonParameters": (. | tostring)}' \
| tee remote-download.json
curl --header "Authorization: Bearer $JWT" \
--header 'Content-Type: application/json' \
--request PUT \
--data @remote-download.json 'https://example.com/a/jobs/user/remote-download'
This sequence demonstrates how an authenticated user can trigger a server-side HTTP request to http://localhost:8000/internal.html, which may expose sensitive information such as configuration files, internal APIs, or even credentials.
Why this works: The server treats the URL as a legitimate external resource, bypassing any firewall or network isolation. Since the request originates from the server itself, it can access services that are not exposed to the public internet.
Real-World Attack Scenarios
Imagine a scenario where an attacker gains access to a Pydio Cells instance via a compromised user account. With a valid JWT, they can:
- Retrieve internal configuration files via
http://localhost:8000/config.json. - Probe for exposed admin panels at
http://localhost:8000/admin. - Access internal databases through
http://localhost:8000/db/backup. - Exfiltrate data by downloading files from internal services.
Even if the target URL is not directly accessible from outside, the SSRF allows the attacker to indirectly access it through the server’s internal network.
Security Implications and Risk Assessment
| Parameter | Value |
|---|---|
| Vulnerability Type | Server-Side Request Forgery (SSRF) |
| CVSS Score | 6.5 (Medium) |
| Affected Versions | 4.1.2 and earlier |
| Fixed Versions | 4.2.0, 4.1.3, 3.0.12 |
| CVE Identifier | CVE-2023-32750 |
While classified as medium risk, the real danger lies in the potential for lateral movement within a network. SSRF can be chained with other vulnerabilities (e.g., insecure file upload, misconfigured access controls) to escalate privileges or extract sensitive data.
Vendor Response and Mitigation
Pydio has acknowledged the vulnerability and released patches in versions 4.2.0, 4.1.3, and 3.0.12. The fix involves:
- Implementing strict URL validation to block internal addresses (e.g.,
localhost,127.0.0.1,192.168.x.x). - Adding a whitelist of allowed domains for remote downloads.
- Introducing rate limiting and monitoring for suspicious job requests.
Administrators are advised to upgrade immediately to one of the patched versions.
Best Practices for Secure API Design
This vulnerability serves as a critical reminder for developers and security teams:
- Never trust user-provided URLs in server-side operations.
- Validate and sanitize input using allowlists, not denylists.
- Implement network isolation for internal services, even within the same server.
- Log and monitor unusual API activity, especially for jobs that initiate external requests.
- Use role-based access control to restrict job initiation to only authorized users.
Conclusion
Pydio Cells 4.1.2’s SSRF vulnerability highlights how even well-intentioned features—like remote file downloads—can become security liabilities if not properly secured. The CVE-2023-32750 serves as a cautionary tale: APIs must be designed with the assumption that malicious input is inevitable. By adopting strict input validation, network isolation, and proactive monitoring, organizations can prevent SSRF from being exploited in production environments.