Incorrect setup of external storage - ownCloud

2016-07-13T19:00:33
ID OWNCLOUD:2694260C4DA2915FB93395591DC8BA46
Type owncloud
Reporter Lukas Reschke – Vulnerability discovery and disclosure.
Modified 2018-01-03T19:01:05

Description

The external storage functionality as implemented in ownCloud 9.0.x before 9.0.2 is improperly setting up external storages when multiple groups have been granted access to an external storage and a user is member of both groups.

The storage class is setup without any setup information, leading to multiple issues, including:

Unavailability of the external storage

Access to files that are not supposed to be shared (only if the 'Local' storage type is used)

Affected Software

Action Taken

The storage code has been reviewed and been patched to properly setup the storage. Furthermore several hardenings have been added to ownCloud which will highly reduce the chance of a successful exploitation of similar vulnerabilities in the future.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke - Vulnerability discovery and disclosure.