Server: Multiple CSRF vulnerabilities

Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud 4.5.6 and 4.0.11 and all prior versions before allows remote attackers to hijack the authentication for users via

• the “lat” and “lng” POST parameters to guesstimezone.php in /apps/calendar/ajax/settings/ (CVE-2013-0299)
  • Commits: 452a626 (stable45), 015ac6a (stable4)
  • Risk: Negligible
  • Note: Successful exploitation of this CSRF requires the “calendar” app to be enabled (enabled by default).
  • Impact: An attacker may be able to change the timezone of the user.
• the “timezonedetection” POST parameter to timezonedetection.php in /apps/calendar/ajax/settings/ (CVE-2013-0299)
  • Commits: 452a626 (stable45) , 97d0cee (stable4)
  • Risk: Negligible
  • Note: Successful exploitation of this CSRF requires the “calendar” app to be enabled (enabled by default).
  • Impact: An attacker may be able to disable or enable the automatic timezone detection.
• the “admin_export” POST parameter to settings.php in /apps/admin_migrate/ (CVE-2013-0299)
  • Commits: bc93744 (stable45), 28dc89e (stable4)
  • Risk: Moderate
  • Note: Successful exploitation of this CSRF requires the “admin_migrate” app to be enabled (disabled by default).
  • Impact: An attacker may be able to import an user account.
• the “operation” POST parameter to export.php in /apps/user_migrate/ajax/ (CVE-2013-0299)
  • Commits: 2de405a (stable45), de9befd (stable4)
  • Risk: Moderate
  • Note: Successful exploitation of this CSRF requires the “user_migrate” app to be enabled (disabled by default).
  • Impact: An attacker may be able to overwrite files of the logged in user.
• multiple unspecified POST parameters to settings.php in /apps/user_ldap/ (CVE-2013-0299)
  • Commits: 5ec272d (stable45), b966095 (stable4)
  • Risk: High
  • Note: Successful exploitation of this CSRF requires the “user_ldap” app to be enabled (disabled by default).
  • Impact: An attacker may be able to change the authentication server URL.

Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud 4.5.6 and all prior versions (except 4.0.x) allows remote attackers to hijack the authentication for users via

• the “v” POST parameter to changeview.php in /apps/calendar/ajax/ (CVE-2013-0300)
  • Commits: 452a626 (stable45)
  • Risk: Negligible
  • Note: Successful exploitation of this CSRF requires the “calendar” app to be enabled (enabled by default).
  • Impact: An attacker may be able to change the default view of an user.
• multiple unspecified parameters to addRootCertificate.php, dropbox.php and google.php in /apps/files_external/ajax/ (CVE-2013-0300)
  • Commits: 2e819d6 + 24a7381e9f (stable45)
  • Risk: Medium
  • Note: Successful exploitation of this CSRF requires the “files_external” app to be enabled (disabled by default).
  • Impact: An attacker may be able to mount arbitrary Google Drive or Dropbox folders to the internal filesystem.
• multiple unspecified POST parameters to settings.php in /apps/user_webdavauth/ (CVE-2013-0300)
  • Commits: 9282641 (stable45)
  • Risk: High
  • Note: Successful exploitation of this CSRF requires the “user_webdavauth” app to be enabled (disabled by default).
  • Impact: An attacker may be able to change the authentication server URL.

A cross-site request forgery (CSRF) vulnerability in ownCloud 4.0.11 and all prior versions allows remote attackers to hijack the authentication for users via

• the “timezone” POST parameter to settimezone in /apps/calendar/ajax/settings/ (CVE-2013-0301)
  • Commits: 97d0cee (stable4)
  • Risk: Negligible
  • Note: Successful exploitation of this CSRF requires the “calendar” app to be enabled (enabled by default).
  • Impact: An attacker may be able to change the timezone of an user.

For more information please consult the official advisory.

This advisory is licensed CC BY-SA 4.0