TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0
Published: 2012/04/18
Version 1.0
Affected products:
ownCloud version 3.0.0 (others not tested)
http://owncloud.org
References:
TC-SA-2012-01 www.tele-consulting.com/advisories/TC-SA-2012-01.txt
(used for updates)
CVE-2012-2269 - XSS in ownCloud 3.0.0
CVE-2012-2270 - Open Redirect in ownCloud 3.0.0
Summary:
"ownCloud gives you easy and universal access to all of your files.
It also provides a platform to easily view, sync and share your
contacts, calendars, bookmarks and files across all your devices.
ownCloud 3 brings loads of new features and hundreds of fixes"
Vulnerable Scripts:
stored XSS:
- /apps/contacts/ajax/addcard.php (any input field)
- /apps/contacts/ajax/addproperty.php (parameter)
- /apps/contacts/ajax/createaddressbook (name)
reflected XSS:
- /files/download.php (file)
- /files/index.php (name, user, redirect_url)
open redirect after login:
- Login Page
Examples:
stored XSS:
- add a new contact and enter <script>alert("Help Me")</script> in
any field, save the contact
- add a new date in calendar with name <script>alert("Help
Me")</script>"
reflected XSS (un-authenticated):
-
http://$domain/owncloud/index.php?redirect_url=1"><script>alert("Help
Me")</script><l=" (must not be logged in)
open redirect after login:
-
http://$domain/owncloud/index.php?redirect_url=http%3a//www.boeserangreife
r.de/
Possible solutions:
- update to OwnCloud 3.0.2
Disclosure Timeline:
2012/02/01 vendor contacted via #owncloud on freenode IRC, got E-Mail
2012/02/01 vendor contacted via E-Mail
2012/02/02 vendor response
2012/04/16 asked vendor for status updates
2012/04/16 vendor status: patched with version 3.0.2
2012/04/18 public disclosure
Credits:
Tobias Glemser (tglemser@tele-consulting.com)
Tele-Consulting security networking training GmbH, Germany
www.tele-consulting.com
Disclaimer:
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore Tele-Consulting shall
not be liable for any direct or indirect damages that might be
caused by using this information.