Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
owncloudLukas Reschke – ownCloud Inc. ([email protected]) – Vulnerability discovery and disclosure.OWNCLOUD:1DF7A5F9B5502CE9032DFCD26CF158C0
HistoryJul 15, 2014 - 6:30 p.m.

Local file inclusion in core - ownCloud

2014-07-1518:30:18
Lukas Reschke – ownCloud Inc. ([email protected]) – Vulnerability discovery and disclosure.
owncloud.org
22

0.007 Low

EPSS

Percentile

81.1%

JSON

Due to an improper control of the filename for a require_once() statement in the routing component a limited local file inclusion vulnerability is existent in all below mentioned ownCloud versions.

Depending on the ownCloud configuration and the authentication state of a remote attacker this vulnerability may have different impact. Specifically:

  • An unauthenticated remote attacker is able to reinstall the instance in case he is able to connect to a database or the SQLite driver is installed. This will overwrite the existing configuration and existing users will not be able to login anymore. This attack is very likely to be noticed, however an attacker is granted administrative access to the ownCloud instance. If a backup of the configuration file is accessible for the web server user the attacker might restore it after a successful exploitation to cover the attack
  • An unauthenticated remote attacker is able to execute arbitrary PHP code if he is able to upload files using the public upload functionality and he can guess the full path of the folder.
  • An authenticated remote attacker is able to execute arbitrary PHP code if the /data/ directory is below the ownCloud root. The directory can be moved using the datadirectory configuration in config/config.php.

ownCloud Inc. is currently not aware of any active attack that are exploiting this vulnerability. To verify whether your installation might have been attacked you can use the following regular expression: index.php\/[^ /]+\/[^ /]+\/[\.]+\/[\.]+\/. (e.g. cat /var/log/apache2/access_log | grep -i -E 'index.php\/[^ /]+\/[^ /]+\/[\.]+\/[\.]+\/*')

Please contact [email protected] if you have proof that you’ve been attacked using this vulnerability.

Affected Software

  • ownCloud Server < 6.0.4 (CVE-2014-4929)
  • ownCloud Server < 5.0.17 (CVE-2014-4929)

Action Taken

The ownCloud team has taken the following efforts to prevent further such attacks in the future:

  • All usages of potential dangerous functions including files in core have been reviewed.
  • All insecure usages of those functions have been fixed and deprecated, the specific parts routing component will be rewritten for ownCloud 8 to further harden the security.
  • The setup routine has been refactored. It will be no longer possible to call it directly beginning with ownCloud 7.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke - ownCloud Inc. ([email protected]) - Vulnerability discovery and disclosure.

Related

nessus 1
openvas 1
ubuntucve 1
prion 1
nvd 1
owncloud 1
cve 1
cvelist 1
nessus
nessus
Mandriva Linux Security Advisory : owncloud (MDVSA-2014:140)
2014-07-30 00:00:00
openvas
openvas
ownCloud Local File Inclusion Vulnerability -01 (Aug 2014)
2014-08-25 00:00:00
ubuntucve
ubuntucve
CVE-2014-4929
2014-08-20 00:00:00
prion
prion
Directory traversal
2014-08-20 14:55:00
nvd
nvd
CVE-2014-4929
2014-08-20 14:55:06
owncloud
owncloud
Server: Local file inclusion in core
2014-07-15 20:10:05
cve
cve
CVE-2014-4929
2014-08-20 14:55:06
cvelist
cvelist
CVE-2014-4929
2014-08-20 14:00:00

0.007 Low

EPSS

Percentile

81.1%

JSON
Related for OWNCLOUD:1DF7A5F9B5502CE9032DFCD26CF158C0
nessus1openvas1ubuntucve1prion1nvd1owncloud1cve1cvelist1