A blacklist bypass vulnerability including UTF-8 encoding in file paths in the mentioned ownCloud Server versions, when running on a Microsoft Windows Platform, allows authenticated remote attackers to bypass the file blacklist and upload files such as the .htaccess
files.
An attacker could leverage this bypass by uploading a .htaccess
and execute arbitrary PHP code if the /data/
directory is stored inside the webroot and a webserver that interprets .htaccess
files is used (e.g. Apache)
ownCloud always recommends to move the data
directory outside of the web root.
The blacklist bypass has been fixed and unit tests has been added to prevent future regressions.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
CPE | Name | Operator | Version |
---|---|---|---|
owncloud server | lt | 5.0.19 | |
owncloud server | lt | 7.0.5 | |
owncloud server | lt | 6.0.7 |