oss-sec mailing list archives
Re: Re: CVE - ownCloud
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Wed, 5 Sep 2012 18:25:09 -0400 (EDT)
On Sat, 1 Sep 2012, Kurt Seifried wrote:
- ------------- Version 4.0.6 Aug 1th 2012 Security: Check for Admin user in appconfig.php (CSRF) Registered user could change app configs without admin rights. https://github.com/owncloud/core/commit/9605e1926c6081e88326bf78a02c1d1b83126c4f Security: Several CSRF security fixes The admin settings and the bookmark app wasn't checking the CSRF token. https://github.com/owncloud/core/commit/38271ded753bc9ea9943cef3c2706f8d71f3a58f and https://github.com/owncloud/core/commit/93579d88dcea389205c01ddf6da41f37ad9b8745 CVS merged into a single CVE Please use CVE-2012-4393 for these issues.
Our interpretation is that this line item is not CSRF: "Registered user could change app configs without admin rights"It's a permissions/authorization problem. It's made WORSE by CSRF, but even without CSRF, a registered user could do something they shouldn't.
So, we assigned CVE-2012-4752 for "Registered user could change app configs without admin rights"
Version 4.0.5 July 20th Reflected XSS (XSS) The filelist wasn't sanitzing HTML values in image files. https://github.com/owncloud/core/commit/d203fa2c50f4b2791e68e2b8ab9a0f8b94f9c9f8 Please use CVE-2012-4394 for this issue.
The 4.0.5 changelog at http://owncloud.org/changelog/ also says "Several CSRF security fixes"
So, we assigned CVE-2012-4753 for the CSRF fixed by 4.0.5. - Steve
Current thread:
- Re: CVE - ownCloud Kurt Seifried (Sep 01)
- Re: Re: CVE - ownCloud Steven M. Christey (Sep 05)