oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

ownCloud Security Advisories (2013-003, 2013-004, 2013-005, 2013-006, 2013-007)

From: Lukas Reschke <lukas () owncloud org>
Date: Thu, 21 Feb 2013 19:09:27 +0100
# Multiple XSS vulnerabilities (oC-SA-2013-003)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-003/

## CVE IDENTIFIERS
- CVE-2013-0297, CVE-2013-0307 (4.0 & 4.5)
- CVE-2013-0298 (4.5)

## AFFECTED SOFTWARE
- ownCloud Server < 4.5.7
- ownCloud Server < 4.0.12

## DESCRIPTION
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.6
and 4.0.11 and all prior versions allow remote attackers to inject
arbitrary web script or HTML via

- the "site_name" and "site_url" POST parameters to setsites.php in
/apps/external/ajax/ (CVE-2013-0297
  - Commits:  e0140a (stable45), 1fbb89a (stable4)
  - Risk: Low
  - Note: Successful exploitation of this stored XSS requires the
"external" app to be enabled (disabled by default) and administrator
privileges.
- the group input field to settings.php (CVE-2013-0307)
  - Commits:  e2faa92 (stable45), 57f40b2 (stable4)
  - Risk: Low
  - Note: Successful exploitation of this DOM based self XSS requires
administrator privileges.

Multiple cross-site scripting (XSS) vulnerability in ownCloud 4.5.6
and all prior versions (except 4.0.x) allow remote attackers to inject
arbitrary web script or HTML via

- the import of a specially crafted iCalendar file via the calendar
application (CVE-2013-0298)
  - Commits: 6608da2 (stable45)
  - Risk: High
  - Note: Successful exploitation of this stored XSS requires the
"calendar" app to be enabled (enabled by default), an attacker may be
able to share this crafted event with other users.
- the "dir" and "file" GET parameter to viewer.php in
/apps/files_pdfviewer/ (CVE-2013-0298)
  - Commits: 04cbec7 (stable45)
  - Risk: Medium
  - Note: Successful exploitation of this reflected XSS requires the
"files_pdfviewer" app to be enabled (enabled by default).
- the "mountpoint" POST parameter to addMountPoint.php in
/apps/files_external/ (CVE-2013-0298)
  - Commits: / (stable45)
  - Risk: Low
  - Note: Successful exploitation of this reflected XSS requires the
"files_external" app to be enabled (disabled by default).

## Credits
The ownCloud Team would like to thank Sabari Selvan
(http://www.ehackingnews.com) for discovering a XSS vulnerability
(CVE-2013-0307).</p>

## RESOLUTION
Update to ownCloud Server 4.5.7 or 4.0.12
http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2
http://mirrors.owncloud.org/releases/owncloud-4.0.12.tar.bz2

---------------------------------------

# Multiple CSRF vulnerabilities (oC-SA-2013-004)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-004/

## CVE IDENTIFIERS
- CVE-2013-0299 (4.0 & 4.5)
- CVE-2013-0300 (4.5)
- CVE-2013-0301 (4.0)

## AFFECTED SOFTWARE
- ownCloud Server < 4.5.7
- ownCloud Server < 4.0.12

## DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud
4.5.6 and 4.0.11 and all prior versions before allows remote attackers
to hijack the authentication for users via

- the "lat" and "lng" POST parameters to guesstimezone.php in
/apps/calendar/ajax/settings/ (CVE-2013-0299)
  - Commits:  452a626 (stable45), 015ac6a (stable4)
  - Risk: Negligible
  - Note: Successful exploitation of this CSRF requires the "calendar"
app to be enabled (enabled by default).
  - Impact: An attacker may be able to change the timezone of the user.
- the "timezonedetection" POST parameter to timezonedetection.php in
/apps/calendar/ajax/settings/ (CVE-2013-0299)
  - Commits:  452a626 (stable45), 97d0cee (stable4)
  - Risk: Negligible
  - Note: Successful exploitation of this CSRF requires the "calendar"
app to be enabled (enabled by default).
  - Impact: An attacker may be able to disable or enable the automatic
timezone detection.
- the "admin_export" POST parameter to settings.php in
/apps/admin_migrate/ (CVE-2013-0299)

  - Commits: bc93744 (stable45), 28dc89e (stable4)
  - Risk: Moderate
  - Note: Successful exploitation of this CSRF requires the
"admin_migrate" app to be enabled (disabled by default).
  - Impact: An attacker may be able to import an user account.
- the "operation" POST parameter to export.php in
/apps/user_migrate/ajax/ (CVE-2013-0299)
  - Commits: 2de405a (stable45), de9befd (stable4)
  - Risk: Moderate
  - Note: Successful exploitation of this CSRF requires the
"user_migrate" app to be enabled (disabled by default).
  - Impact: An attacker may be able to overwrite files of the logged in user.
- multiple unspecified POST parameters to settings.php in
/apps/user_ldap/ (CVE-2013-0299)
  - Commits: 5ec272d (stable45), b966095 (stable4)
  - Risk: High
  - Note: Successful exploitation of this CSRF requires the
"user_ldap" app to be enabled (disabled by default).
  - Impact: An attacker may be able to change the authentication server URL.

Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud
4.5.6 and all prior versions (except 4.0.x) allows remote attackers to
hijack the authentication for users via

- the "v" POST parameter to changeview.php in /apps/calendar/ajax/
(CVE-2013-0300)
  - Commits:  452a626 (stable45)
  - Risk: Negligible
  - Note: Successful exploitation of this CSRF requires the "calendar"
app to be enabled (enabled by default).
  - Impact: An attacker may be able to change the default view of an user.
- multiple unspecified parameters to addRootCertificate.php,
dropbox.php and google.php in /apps/files_external/ajax/
(CVE-2013-0300)
  - Commits:  2e819d6 (stable45)
  - Risk: Medium
  - Note: Successful exploitation of this CSRF requires the
"files_external" app to be enabled (disabled by default).
  - Impact: An attacker may be able to mount arbitrary Google Drive or
Dropbox folders to the internal filesystem.
- multiple unspecified POST parameters to settings.php in
/apps/user_webdavauth/ (CVE-2013-0300)
  - Commits: 9282641 (stable45)
  - Risk: High
  - Note: Successful exploitation of this CSRF requires the
"user_webdavauth" app to be enabled (disabled by default).
  - Impact: An attacker may be able to change the authentication server URL.

A cross-site request forgery (CSRF) vulnerability in ownCloud 4.0.11
and all prior versions allows remote attackers to hijack the
authentication for users via

- the "timezone" POST parameter to settimezone.php in
/apps/calendar/ajax/settings/ (CVE-2013-0301)
  - Commits:  452a626 (stable45)
  - Risk: Negligible
  - Note: Successful exploitation of this CSRF requires the "calendar"
app to be enabled (enabled by default).
  - Impact: An attacker may be able to change the timezone of an user.

## RESOLUTION
Update to ownCloud Server 4.5.7 or 4.0.12
http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2
http://mirrors.owncloud.org/releases/owncloud-4.0.12.tar.bz2

---------------------------------------

# Information disclosure (oC-SA-2013-005)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-005/

## CVE IDENTIFIER
- CVE-2013-0302

## AFFECTED SOFTWARE
- ownCloud Server < 4.5.7

## RISK
Low

## Commits
- c67261fe (stable45)

## DESCRIPTION
Due to the inclusion of the Amazon SDK testing suite an
unauthenticated attacker is able to gain additional informations about
the server including:

- the PHP version
- the cURL version
- informations wether the following functions/modules are available:
  - SimpleXML
  - DOM
  - SPL
  - JSON
  - PCRE
  - File System Read/Write
  - OpenSSL
  - Zlib
  - APC
  - XCache
  - Memcache
  - Memcached
  - PDO
  - PDO-SQLite
  - SQLite 2
  - SQLite 3
- the following PHP settings:
  - open_basedir
  - safe_mode
  - zend.enable_gc
- the server architecture (32bit/64bit)

## RESOLUTION
Update to ownCloud Server 4.5.7
http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2

---------------------------------------

# Multiple code executions (oC-SA-2013-006)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-006/

## CVE IDENTIFIER
- CVE-2013-0303

## AFFECTED SOFTWARE
- ownCloud Server < 4.5.7
- ownCloud Server < 4.0.12

## RISK
Critical

## DESCRIPTION
A code executions vulnerability in ownCloud 4.5.6 and 4.0.11 and all
prior versions allow authenticated remote attackers to execute
arbitrary PHP code via

- unspecified POST parameters to translations.php in /core/ajax/
  - Commits: 74e73bc (stable4), ece08cd (stable45)
  - Risk: Critical

A code executions vulnerability in ownCloud 4.5.6 and all prior
versions (except ownCloud 4.0.x) allow authenticated remote attackers
to execute arbitrary PHP code via

- unspecified POST parameters to settings.php in /core/
  - Commits: 746aa0 (stable45)
  - Risk: Critical

## RESOLUTION
Update to ownCloud Server 4.5.7 or 4.0.12
http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2
http://mirrors.owncloud.org/releases/owncloud-4.0.12.tar.bz2

---------------------------------------

# Privilege escalation in the calendar application (oC-SA-2013-007)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-007/

## CVE IDENTIFIER
- CVE-2013-0304

## AFFECTED SOFTWARE
- ownCloud Server < 4.5.7

## RISK
High

## COMMIT
- d4802d8 (stable45)

## DESCRIPTION
Due to not properly checking the ownership of an calendar, an
authenticated attacker is able to download calendars of other users
via the "calid" GET parameter to export.php in /apps/calendar/

Note: Successful exploitation of this CSRF requires the "calendar" app
to be enabled (enabled by default).

## CREDITS
The ownCloud Team would like to thank Romain Severin
(http://www.intrinsec.com/) for discovering this vulnerability.

## RESOLUTION
Update to ownCloud Server 4.5.7
http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2

--
ownCloud
Your Cloud, Your Data, Your Way!
Previous By Date Next
Previous By Thread Next

Current thread: