Lucene search
Lukas Reschke – ownCloud Inc. ([email protected]) – Vulnerability discovery and disclosure.OWNCLOUD:4BBAC2D69EBDD309A9EC274DD8C8BF85HistoryJul 03, 2014 - 6:17 p.m.
Session Fixation - ownCloud
2014-07-0318:17:28
Lukas Reschke – ownCloud Inc. ([email protected]) – Vulnerability discovery and disclosure.
owncloud.org
22
EPSS
0.005
Percentile
76.0%
Due to authenticating a user without invalidating any existing session identifier an attacker has the opportunity to steal authenticated sessions. A successful exploit requires that PHP is configured to accept session parameters via GET.
Affected Software
- ownCloud Server < 6.0.2 (CVE-2014-2047)
Action Taken
The session is now regenerated after a successful login.
Acknowledgements
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke - ownCloud Inc. ([email protected]) - Vulnerability discovery and disclosure.
Related
openvas
openvas
ownCloud Session Fixation Vulnerability
2014-05-06 00:00:00
cvelist
cvelist
CVE-2014-2047
2014-03-14 16:00:00
nvd
nvd
CVE-2014-2047
2014-03-14 16:55:05
cve
cve
CVE-2014-2047
2014-03-14 16:55:05
ubuntucve
ubuntucve
CVE-2014-2047
2014-03-14 00:00:00
prion
prion
Session fixation
2014-03-14 16:55:00
owncloud
owncloud
Server: Session Fixation
2014-07-03 02:00:00
Insecure Flash Cross Domain policies - ownCloud
2014-07-03 18:18:59
Server: LDAP injection
2014-07-03 02:00:00