ownCloud 3.0.0 Cross Site Scripting

2012.04.19
Credit: Tobias Glemser
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2012-2269 | CVE-2012-2270
CWE: CWE-79

TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0 Published: 2012/04/18 Version 1.0 Affected products: ownCloud version 3.0.0 (others not tested) http://owncloud.org References: TC-SA-2012-01 www.tele-consulting.com/advisories/TC-SA-2012-01.txt (used for updates) CVE-2012-2269 - XSS in ownCloud 3.0.0 CVE-2012-2270 - Open Redirect in ownCloud 3.0.0 Summary: "ownCloud gives you easy and universal access to all of your files. It also provides a platform to easily view, sync and share your contacts, calendars, bookmarks and files across all your devices. ownCloud 3 brings loads of new features and hundreds of fixes" Vulnerable Scripts: stored XSS: - /apps/contacts/ajax/addcard.php (any input field) - /apps/contacts/ajax/addproperty.php (parameter) - /apps/contacts/ajax/createaddressbook (name) reflected XSS: - /files/download.php (file) - /files/index.php (name, user, redirect_url) open redirect after login: - Login Page Examples: stored XSS: - add a new contact and enter <script>alert("Help Me")</script> in any field, save the contact - add a new date in calendar with name <script>alert("Help Me")</script>" reflected XSS (un-authenticated): - http://$domain/owncloud/index.php?redirect_url=1"><script>alert("Help Me")</script><l=" (must not be logged in) open redirect after login: - http://$domain/owncloud/index.php?redirect_url=http%3a//www.boeserangreife r.de/ Possible solutions: - update to OwnCloud 3.0.2 Disclosure Timeline: 2012/02/01 vendor contacted via #owncloud on freenode IRC, got E-Mail 2012/02/01 vendor contacted via E-Mail 2012/02/02 vendor response 2012/04/16 asked vendor for status updates 2012/04/16 vendor status: patched with version 3.0.2 2012/04/18 public disclosure Credits: Tobias Glemser (tglemser@tele-consulting.com) Tele-Consulting security networking training GmbH, Germany www.tele-consulting.com Disclaimer: All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore Tele-Consulting shall not be liable for any direct or indirect damages that might be caused by using this information.

References:

http://owncloud.org


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top