Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
owncloudOwnCloudOC-SA-2014-021
HistoryNov 25, 2014 - 3:00 p.m.

Server: Local Path Disclosure when using Asset Pipeline

2014-11-2515:00:00
owncloud.org
21

EPSS

0.002

Percentile

56.5%

JSON

ownCloud 7 introduced the so-called “Asset Pipeline”. It is disabled by default, but can be enabled by setting asset-pipeline.enabled to true in config.php

When the setting is enabled ownCloud concatenates all CSS and JS files into a single large blob file. Thus the amount of initial required requests to the ownCloud instance is lower and therefore the instance is loaded faster.

The generated files are stored on the local filesystem and use a filename that is generated by hashing the original CSS and JS absolute file paths using MD5.

Therefore, an attacker could perform a brute-force attack to gain the information under which path (e.g. /var/www/owncloud/) the ownCloud instance was installed.

For more information please consult the official advisory.

This advisory is licensed CC BY-SA 4.0

Related

owncloud 1
openvas 1
prion 1
cvelist 1
nvd 1
cve 1
owncloud
owncloud
Local Path Disclosure when using Asset Pipeline - ownCloud
2014-11-25 18:36:53
openvas
openvas
ownCloud Asset Pipeline Feature Remote Path Disclosure Vulnerability (oC-SA-2014-021)
2015-02-19 00:00:00
prion
prion
Information disclosure
2015-02-04 18:59:00
cvelist
cvelist
CVE-2014-9044
2015-02-04 18:00:00
nvd
nvd
CVE-2014-9044
2015-02-04 18:59:04
cve
cve
CVE-2014-9044
2015-02-04 18:59:04

EPSS

0.002

Percentile

56.5%

JSON
Related for OC-SA-2014-021
owncloud1openvas1prion1cvelist1nvd1cve1