oss-sec mailing list archives
ownCloud Security Advisories (2013-003, 2013-004, 2013-005, 2013-006, 2013-007)
From: Lukas Reschke <lukas () owncloud org>
Date: Thu, 21 Feb 2013 19:09:27 +0100
# Multiple XSS vulnerabilities (oC-SA-2013-003) Web: http://owncloud.org/about/security/advisories/oC-SA-2013-003/ ## CVE IDENTIFIERS - CVE-2013-0297, CVE-2013-0307 (4.0 & 4.5) - CVE-2013-0298 (4.5) ## AFFECTED SOFTWARE - ownCloud Server < 4.5.7 - ownCloud Server < 4.0.12 ## DESCRIPTION Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.6 and 4.0.11 and all prior versions allow remote attackers to inject arbitrary web script or HTML via - the "site_name" and "site_url" POST parameters to setsites.php in /apps/external/ajax/ (CVE-2013-0297 - Commits: e0140a (stable45), 1fbb89a (stable4) - Risk: Low - Note: Successful exploitation of this stored XSS requires the "external" app to be enabled (disabled by default) and administrator privileges. - the group input field to settings.php (CVE-2013-0307) - Commits: e2faa92 (stable45), 57f40b2 (stable4) - Risk: Low - Note: Successful exploitation of this DOM based self XSS requires administrator privileges. Multiple cross-site scripting (XSS) vulnerability in ownCloud 4.5.6 and all prior versions (except 4.0.x) allow remote attackers to inject arbitrary web script or HTML via - the import of a specially crafted iCalendar file via the calendar application (CVE-2013-0298) - Commits: 6608da2 (stable45) - Risk: High - Note: Successful exploitation of this stored XSS requires the "calendar" app to be enabled (enabled by default), an attacker may be able to share this crafted event with other users. - the "dir" and "file" GET parameter to viewer.php in /apps/files_pdfviewer/ (CVE-2013-0298) - Commits: 04cbec7 (stable45) - Risk: Medium - Note: Successful exploitation of this reflected XSS requires the "files_pdfviewer" app to be enabled (enabled by default). - the "mountpoint" POST parameter to addMountPoint.php in /apps/files_external/ (CVE-2013-0298) - Commits: / (stable45) - Risk: Low - Note: Successful exploitation of this reflected XSS requires the "files_external" app to be enabled (disabled by default). ## Credits The ownCloud Team would like to thank Sabari Selvan (http://www.ehackingnews.com) for discovering a XSS vulnerability (CVE-2013-0307).</p> ## RESOLUTION Update to ownCloud Server 4.5.7 or 4.0.12 http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2 http://mirrors.owncloud.org/releases/owncloud-4.0.12.tar.bz2 --------------------------------------- # Multiple CSRF vulnerabilities (oC-SA-2013-004) Web: http://owncloud.org/about/security/advisories/oC-SA-2013-004/ ## CVE IDENTIFIERS - CVE-2013-0299 (4.0 & 4.5) - CVE-2013-0300 (4.5) - CVE-2013-0301 (4.0) ## AFFECTED SOFTWARE - ownCloud Server < 4.5.7 - ownCloud Server < 4.0.12 ## DESCRIPTION Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud 4.5.6 and 4.0.11 and all prior versions before allows remote attackers to hijack the authentication for users via - the "lat" and "lng" POST parameters to guesstimezone.php in /apps/calendar/ajax/settings/ (CVE-2013-0299) - Commits: 452a626 (stable45), 015ac6a (stable4) - Risk: Negligible - Note: Successful exploitation of this CSRF requires the "calendar" app to be enabled (enabled by default). - Impact: An attacker may be able to change the timezone of the user. - the "timezonedetection" POST parameter to timezonedetection.php in /apps/calendar/ajax/settings/ (CVE-2013-0299) - Commits: 452a626 (stable45), 97d0cee (stable4) - Risk: Negligible - Note: Successful exploitation of this CSRF requires the "calendar" app to be enabled (enabled by default). - Impact: An attacker may be able to disable or enable the automatic timezone detection. - the "admin_export" POST parameter to settings.php in /apps/admin_migrate/ (CVE-2013-0299) - Commits: bc93744 (stable45), 28dc89e (stable4) - Risk: Moderate - Note: Successful exploitation of this CSRF requires the "admin_migrate" app to be enabled (disabled by default). - Impact: An attacker may be able to import an user account. - the "operation" POST parameter to export.php in /apps/user_migrate/ajax/ (CVE-2013-0299) - Commits: 2de405a (stable45), de9befd (stable4) - Risk: Moderate - Note: Successful exploitation of this CSRF requires the "user_migrate" app to be enabled (disabled by default). - Impact: An attacker may be able to overwrite files of the logged in user. - multiple unspecified POST parameters to settings.php in /apps/user_ldap/ (CVE-2013-0299) - Commits: 5ec272d (stable45), b966095 (stable4) - Risk: High - Note: Successful exploitation of this CSRF requires the "user_ldap" app to be enabled (disabled by default). - Impact: An attacker may be able to change the authentication server URL. Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud 4.5.6 and all prior versions (except 4.0.x) allows remote attackers to hijack the authentication for users via - the "v" POST parameter to changeview.php in /apps/calendar/ajax/ (CVE-2013-0300) - Commits: 452a626 (stable45) - Risk: Negligible - Note: Successful exploitation of this CSRF requires the "calendar" app to be enabled (enabled by default). - Impact: An attacker may be able to change the default view of an user. - multiple unspecified parameters to addRootCertificate.php, dropbox.php and google.php in /apps/files_external/ajax/ (CVE-2013-0300) - Commits: 2e819d6 (stable45) - Risk: Medium - Note: Successful exploitation of this CSRF requires the "files_external" app to be enabled (disabled by default). - Impact: An attacker may be able to mount arbitrary Google Drive or Dropbox folders to the internal filesystem. - multiple unspecified POST parameters to settings.php in /apps/user_webdavauth/ (CVE-2013-0300) - Commits: 9282641 (stable45) - Risk: High - Note: Successful exploitation of this CSRF requires the "user_webdavauth" app to be enabled (disabled by default). - Impact: An attacker may be able to change the authentication server URL. A cross-site request forgery (CSRF) vulnerability in ownCloud 4.0.11 and all prior versions allows remote attackers to hijack the authentication for users via - the "timezone" POST parameter to settimezone.php in /apps/calendar/ajax/settings/ (CVE-2013-0301) - Commits: 452a626 (stable45) - Risk: Negligible - Note: Successful exploitation of this CSRF requires the "calendar" app to be enabled (enabled by default). - Impact: An attacker may be able to change the timezone of an user. ## RESOLUTION Update to ownCloud Server 4.5.7 or 4.0.12 http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2 http://mirrors.owncloud.org/releases/owncloud-4.0.12.tar.bz2 --------------------------------------- # Information disclosure (oC-SA-2013-005) Web: http://owncloud.org/about/security/advisories/oC-SA-2013-005/ ## CVE IDENTIFIER - CVE-2013-0302 ## AFFECTED SOFTWARE - ownCloud Server < 4.5.7 ## RISK Low ## Commits - c67261fe (stable45) ## DESCRIPTION Due to the inclusion of the Amazon SDK testing suite an unauthenticated attacker is able to gain additional informations about the server including: - the PHP version - the cURL version - informations wether the following functions/modules are available: - SimpleXML - DOM - SPL - JSON - PCRE - File System Read/Write - OpenSSL - Zlib - APC - XCache - Memcache - Memcached - PDO - PDO-SQLite - SQLite 2 - SQLite 3 - the following PHP settings: - open_basedir - safe_mode - zend.enable_gc - the server architecture (32bit/64bit) ## RESOLUTION Update to ownCloud Server 4.5.7 http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2 --------------------------------------- # Multiple code executions (oC-SA-2013-006) Web: http://owncloud.org/about/security/advisories/oC-SA-2013-006/ ## CVE IDENTIFIER - CVE-2013-0303 ## AFFECTED SOFTWARE - ownCloud Server < 4.5.7 - ownCloud Server < 4.0.12 ## RISK Critical ## DESCRIPTION A code executions vulnerability in ownCloud 4.5.6 and 4.0.11 and all prior versions allow authenticated remote attackers to execute arbitrary PHP code via - unspecified POST parameters to translations.php in /core/ajax/ - Commits: 74e73bc (stable4), ece08cd (stable45) - Risk: Critical A code executions vulnerability in ownCloud 4.5.6 and all prior versions (except ownCloud 4.0.x) allow authenticated remote attackers to execute arbitrary PHP code via - unspecified POST parameters to settings.php in /core/ - Commits: 746aa0 (stable45) - Risk: Critical ## RESOLUTION Update to ownCloud Server 4.5.7 or 4.0.12 http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2 http://mirrors.owncloud.org/releases/owncloud-4.0.12.tar.bz2 --------------------------------------- # Privilege escalation in the calendar application (oC-SA-2013-007) Web: http://owncloud.org/about/security/advisories/oC-SA-2013-007/ ## CVE IDENTIFIER - CVE-2013-0304 ## AFFECTED SOFTWARE - ownCloud Server < 4.5.7 ## RISK High ## COMMIT - d4802d8 (stable45) ## DESCRIPTION Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the "calid" GET parameter to export.php in /apps/calendar/ Note: Successful exploitation of this CSRF requires the "calendar" app to be enabled (enabled by default). ## CREDITS The ownCloud Team would like to thank Romain Severin (http://www.intrinsec.com/) for discovering this vulnerability. ## RESOLUTION Update to ownCloud Server 4.5.7 http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2 -- ownCloud Your Cloud, Your Data, Your Way!
Current thread:
- ownCloud Security Advisories (2013-003, 2013-004, 2013-005, 2013-006, 2013-007) Lukas Reschke (Feb 21)