Critical Security Flaws in ownCloud File Sharing App Could Expose Admin Passwords

November 24, 2023

The open-source file sharing software, ownCloud, recently announced three critical security vulnerabilities. Among these, one could potentially reveal administrator passwords and mail server credentials. ownCloud is a popular choice for businesses, educational institutions, government agencies, and individuals who prioritize privacy. The software allows users to manage and share files through a self-hosted platform, thereby providing an alternative to third-party cloud storage providers. ownCloud's website states that the software has 200,000 installations, 600 enterprise customers, and 200 million users.

The software is made up of multiple libraries and components that work together to offer various functionalities for the cloud storage platform. The team responsible for the software's development issued three security bulletins, alerting users to the vulnerabilities that could seriously compromise ownCloud's integrity.

The first vulnerability, identified as CVE-2023-49103, received the highest CVSS v3 score of 10. This flaw can be exploited to steal credentials and configuration information in containerized deployments, affecting all environment variables of the webserver. The issue stems from the app's reliance on a third-party library that reveals PHP environment details through a URL, which could expose ownCloud admin passwords, mail server credentials, and license keys. The suggested solution is to delete the 'owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php' file, disable the 'phpinfo' function in Docker containers, and change any secrets that might have been exposed.

"It's important to emphasize that simply disabling the graphapi app does not eliminate the vulnerability," the security bulletin cautions. "Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern."

The second vulnerability, which received a CVSS v3 score of 9.8, affects ownCloud core library versions 10.6.0 to 10.13.0. It is an authentication bypass flaw, which could allow attackers to access, modify, or delete any file without authentication if they know the user's username and the user has not configured a signing-key (default setting). The proposed solution is to prohibit the use of pre-signed URLs if no signing key is configured for the file's owner.

The third flaw, with a CVSS v3 score of 9, is a subdomain validation bypass issue that affects all versions of the oauth2 library below 0.6.1. In the oauth2 app, an attacker can enter a specially crafted redirect URL that bypasses the validation code, enabling redirection of callbacks to a domain controlled by the attacker. The suggested mitigation is to strengthen the validation code in the Oauth2 app. A temporary workaround shared in the bulletin is to disable the "Allow Subdomains" option.

These three security flaws could significantly compromise the security and integrity of the ownCloud environment, potentially leading to the exposure of sensitive information, covert data theft, phishing attacks, and more. Security vulnerabilities in file-sharing platforms have been consistently targeted, with ransomware groups, like CLOP, exploiting them in data theft attacks on thousands of companies globally. As such, it's crucial for ownCloud administrators to promptly implement the recommended fixes and update the libraries as soon as possible to mitigate these risks.

Latest News

• Data Breach at AutoZone: 185,000 Customers Impacted by MOVEit Hack
• Urgent Warnings Issued on CitrixBleed Exploitation by LockBit Ransomware Gang
• Visual Studio Code RCE Vulnerability (CVE-2023-36742): Public PoC Exploit Revealed
• Public Release of PoC Exploit for Critical Windows Defender Bypass
• CISA Mandates Federal Agencies to Address 'Looney Tunables' Linux Vulnerability