Information Exposure Through Directory Listing in the file scanner - ownCloud

Due to an incorrect usage of an ownCloud internal file system function the passed path to the file scanner was resolved relatively. An authenticated adversary may thus be able to get a listing of files existing on the filesystem. However, it is not possible to access any of these files.

This causes a massive server load and thus an enumeration of the whole server content is unlikely due to the high risk of Denial of Service.

For a more technical description please take a look at the advisory of the reporter.

Affected Software

• ownCloud Server < 8.2.2 (CVE-2016-1499)
  • core/703b6d1803d776122ec0604cf0f3ab807033206e
• ownCloud Server < 8.1.5 (CVE-2016-1499)
  • core/a4a7ee1761ddd1681e7a8d5868ae4a6c671495fa
• ownCloud Server < 8.0.10 (CVE-2016-1499)
  • core/fab59179f1661da4862336fb8ea450c80def26d4

Action Taken

The vulnerable vulnerable component has been patched and will be replaced by a cronjob in ownCloud 9.0.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

• Dr. Erlijn van Genuchten - SySS GmbH - Vulnerability discovery and disclosure.