Owncloud App "Ldap user backend" stored password in clear text Author: francesco.tornieri \"At\" verona-wireless.net Summary: store domain admin password in clear text Discovery date: 09/05/2012 Developer date contact : 09/05/2012 Where: From local Release Date: 11/05/2012 Criticality level: High Impact: Discovery domain admin password Software: Owncloud 3.0.3 and below (tested sqlite backend) Description: The administrator domain credential are stored in clear text within the owncloud.db file ------- DOMAIN_ADMIN_PASSWORD="MYPASWWORD" strings /yourpath/owncloud/data/owncloud.db |grep -i ldap_pass '#user_ldapldap_passwordMYPASWWORD0% ------- Francesco Tornieri