Lucene search
OwnCloudOC-SA-2015-004HistoryMar 25, 2015 - 2:49 p.m.
Server: Bypass of file blacklist
2015-03-2514:49:09
owncloud.org
21
0.003 Low
EPSS
Percentile
65.0%
A blacklist bypass vulnerability including UTF-8 encoding in file paths in the mentioned ownCloud versions, allows authenticated remote attackers to bypass the file blacklist and upload files such as the .htaccess files.
An attacker could leverage this bypass by uploading a .htaccess and execute arbitrary PHP code if the /data/ directory is stored inside the webroot and a webserver that interprets .htaccess files is used (e.g. Apache)
ownCloud always recommends to move the data directory outside of the web root.
For more information please consult the official advisory.
This advisory is licensed CC BY-SA 4.0
| CPE | Name | Operator | Version |
|---|---|---|---|
| owncloud server | lt | 5.0.19 | |
| owncloud server | lt | 7.0.5 | |
| owncloud server | lt | 6.0.7 |
Related
owncloud
owncloud
Bypass of file blacklist - ownCloud
2015-03-25 18:44:49
Bypass of file blacklist on Microsoft Windows Platform - ownCloud
2015-03-25 18:44:05
Server: Bypass of file blacklist on Microsoft Windows Platform
2015-03-25 14:49:09
cve
cve
CVE-2015-3013
2015-05-08 14:59:00
prion
prion
Design/Logic Flaw
2015-05-08 14:59:00
ubuntucve
ubuntucve
CVE-2015-3013
2015-05-08 00:00:00
cvelist
cvelist
CVE-2015-3013
2015-05-08 14:00:00
securityvulns
securityvulns
[SECURITY] [DSA 3244-1] owncloud security update
2015-05-05 00:00:00
owncloud multiple security vulnerabilities
2015-05-05 00:00:00
osv
osv
owncloud - security update
2015-05-02 00:00:00
debian
debian
[SECURITY] [DSA 3244-1] owncloud security update
2015-05-02 11:15:35
[SECURITY] [DSA 3244-1] owncloud security update
2015-05-02 11:15:52
openvas
openvas
Debian Security Advisory DSA 3244-1 (owncloud - security update)
2015-05-02 00:00:00
Debian: Security Advisory (DSA-3244-1)
2015-05-01 00:00:00
nessus
nessus
Debian DSA-3244-1 : owncloud - security update
2015-05-04 00:00:00