ID OPENVAS:1361412562310804663 Type openvas Reporter Copyright (C) 2014 Greenbone Networks GmbH Modified 2020-04-20T00:00:00
Description
This host is installed with ownCloud and is prone to unauthorized picture
preview access.
###############################################################################
# OpenVAS Vulnerability Test
#
# ownCloud Preview Picture Access Authentication Bypass Vulnerability
#
# Authors:
# Shakeel <bshakeel@secpod.com>
#
# Copyright:
# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
CPE = "cpe:/a:owncloud:owncloud";
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.804663");
script_version("2020-04-20T13:31:49+0000");
script_cve_id("CVE-2014-3963");
script_bugtraq_id(68194);
script_tag(name:"cvss_base", value:"4.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:S/C:P/I:N/A:N");
script_tag(name:"last_modification", value:"2020-04-20 13:31:49 +0000 (Mon, 20 Apr 2020)");
script_tag(name:"creation_date", value:"2014-07-03 16:32:28 +0530 (Thu, 03 Jul 2014)");
script_name("ownCloud Preview Picture Access Authentication Bypass Vulnerability");
script_tag(name:"summary", value:"This host is installed with ownCloud and is prone to unauthorized picture
preview access.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"The flaw is due to the server failing to sufficiently check if an
authenticated user has access to preview pictures of other users");
script_tag(name:"impact", value:"Successful exploitation will allow remote attackers to view other user's
pictures.");
script_tag(name:"affected", value:"ownCloud Server 6.0.x before 6.0.1");
script_tag(name:"solution", value:"Upgrade to ownCloud version 6.0.1 or later.");
script_tag(name:"solution_type", value:"VendorFix");
script_xref(name:"URL", value:"http://owncloud.org/security/advisory/?id=oC-SA-2014-009");
script_xref(name:"URL", value:"http://www.zerodaylab.com/vulnerabilities/CVE-2014/CVE-2014-3963.html");
script_category(ACT_GATHER_INFO);
script_tag(name:"qod_type", value:"remote_banner");
script_copyright("Copyright (C) 2014 Greenbone Networks GmbH");
script_family("Web application abuses");
script_dependencies("gb_owncloud_detect.nasl");
script_mandatory_keys("owncloud/installed");
script_require_ports("Services/www", 80);
exit(0);
}
include("host_details.inc");
include("version_func.inc");
if(!ownPort = get_app_port(cpe:CPE)){
exit(0);
}
if(!ownVer = get_app_version(cpe:CPE, port:ownPort)){
exit(0);
}
if(version_is_equal(version:ownVer, test_version:"6.0.0"))
{
report = report_fixed_ver(installed_version:ownVer, vulnerable_range:"Equal to 6.0.0");
security_message(port:ownPort, data:report);
exit(0);
}
{"id": "OPENVAS:1361412562310804663", "type": "openvas", "bulletinFamily": "scanner", "title": "ownCloud Preview Picture Access Authentication Bypass Vulnerability", "description": "This host is installed with ownCloud and is prone to unauthorized picture\npreview access.", "published": "2014-07-03T00:00:00", "modified": "2020-04-20T00:00:00", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804663", "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "references": ["http://owncloud.org/security/advisory/?id=oC-SA-2014-009", "http://www.zerodaylab.com/vulnerabilities/CVE-2014/CVE-2014-3963.html"], "cvelist": ["CVE-2014-3963"], "lastseen": "2020-04-22T17:03:36", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-3963"]}], "modified": "2020-04-22T17:03:36", "rev": 2}, "score": {"value": 5.6, "vector": "NONE", "modified": "2020-04-22T17:03:36", "rev": 2}, "vulnersScore": 5.6}, "pluginID": "1361412562310804663", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# ownCloud Preview Picture Access Authentication Bypass Vulnerability\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:owncloud:owncloud\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804663\");\n script_version(\"2020-04-20T13:31:49+0000\");\n script_cve_id(\"CVE-2014-3963\");\n script_bugtraq_id(68194);\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-04-20 13:31:49 +0000 (Mon, 20 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-07-03 16:32:28 +0530 (Thu, 03 Jul 2014)\");\n script_name(\"ownCloud Preview Picture Access Authentication Bypass Vulnerability\");\n\n\n script_tag(name:\"summary\", value:\"This host is installed with ownCloud and is prone to unauthorized picture\npreview access.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The flaw is due to the server failing to sufficiently check if an\nauthenticated user has access to preview pictures of other users\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to view other user's\npictures.\");\n script_tag(name:\"affected\", value:\"ownCloud Server 6.0.x before 6.0.1\");\n script_tag(name:\"solution\", value:\"Upgrade to ownCloud version 6.0.1 or later.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://owncloud.org/security/advisory/?id=oC-SA-2014-009\");\n script_xref(name:\"URL\", value:\"http://www.zerodaylab.com/vulnerabilities/CVE-2014/CVE-2014-3963.html\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_owncloud_detect.nasl\");\n script_mandatory_keys(\"owncloud/installed\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!ownPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!ownVer = get_app_version(cpe:CPE, port:ownPort)){\n exit(0);\n}\n\nif(version_is_equal(version:ownVer, test_version:\"6.0.0\"))\n{\n report = report_fixed_ver(installed_version:ownVer, vulnerable_range:\"Equal to 6.0.0\");\n security_message(port:ownPort, data:report);\n exit(0);\n}\n", "naslFamily": "Web application abuses"}
