oss-sec mailing list archives

Re: Re: CVE - ownCloud

From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Wed, 5 Sep 2012 18:25:09 -0400 (EDT)


On Sat, 1 Sep 2012, Kurt Seifried wrote:

- -------------
Version 4.0.6 Aug 1th 2012

Security: Check for Admin user in
appconfig.php (CSRF)
Registered user could change app configs without admin rights.
https://github.com/owncloud/core/commit/9605e1926c6081e88326bf78a02c1d1b83126c4f
Security: Several CSRF security fixes
The admin settings and the bookmark app wasn't checking the CSRF token.
https://github.com/owncloud/core/commit/38271ded753bc9ea9943cef3c2706f8d71f3a58f
and
https://github.com/owncloud/core/commit/93579d88dcea389205c01ddf6da41f37ad9b8745

CVS merged into a single CVE

Please use CVE-2012-4393 for these issues.


Our interpretation is that this line item is not CSRF:

  "Registered user could change app configs without admin rights"

It's a permissions/authorization problem. It's made WORSE by CSRF, buteven without CSRF, a registered user could do something they shouldn't.

So, we assigned CVE-2012-4752 for "Registered user could change appconfigs without admin rights"

Version 4.0.5 July 20th
Reflected XSS (XSS)
The filelist wasn't sanitzing HTML values in image files.
https://github.com/owncloud/core/commit/d203fa2c50f4b2791e68e2b8ab9a0f8b94f9c9f8

Please use CVE-2012-4394 for this issue.

The 4.0.5 changelog at http://owncloud.org/changelog/ also says "SeveralCSRF security fixes"


So, we assigned CVE-2012-4753 for the CSRF fixed by 4.0.5.

- Steve

Current thread:

Re: CVE - ownCloud Kurt Seifried (Sep 01)
- Re: Re: CVE - ownCloud Steven M. Christey (Sep 05)