Local Path Disclosure when using Asset Pipeline - ownCloud

ownCloud 7 introduced the so-called “Asset Pipeline”. It is disabled by default, but can be enabled by setting asset-pipeline.enabled to true in config.php

When the setting is enabled ownCloud concatenates all CSS and JS files into a single large blob file. Thus the amount of initial required requests to the ownCloud instance is lower and therefore the instance is loaded faster.

The generated files are stored on the local filesystem and use a filename that is generated by hashing the original CSS and JS absolute file paths using MD5.

Therefore, an attacker could perform a brute-force attack to gain the information under which path (e.g. /var/www/owncloud/) the ownCloud instance was installed.

Affected Software

• ownCloud Server < 7.0.3 (CVE-2014-9044)

Action Taken

The filename is now generated by using relative file paths to the ownCloud installation. Therefore an attacker cannot brute-force the absolute paths anymore.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

• Lukas Reschke - ownCloud Inc. ([email protected]) - Vulnerability discovery and disclosure.