Stored XSS in "bookmarks" application - ownCloud

Due to not sanitising all user provided input, the “bookmarks” application shipped with the below mentioned ownCloud versions is vulnerable to a stored Cross-site scripting attack.
The “bookmarks” application is disabled by default.

Abusing this vulnerability requires the user to import a malicious crafted “bookmark file”. However, an attacker can leverage oC-SA-2014-027 to achieve this.

Successful exploitation requires that the victim then clicks on the malicious crafted entry within the bookmarks application.

ownCloud advises browsers to disable inline JavaScript execution due to the used Content-Security-Policy; this vulnerability is therefore not exploitable if you use a browser that supports the current CSP standard.

Affected Software

• ownCloud Server < 7.0.3 (CVE-2014-9042)
• ownCloud Server < 6.0.6 (CVE-2014-9042)
• ownCloud Server < 5.0.18 (CVE-2014-9042)

Action Taken

The issue was caused by not verifying the protocol when importing a bookmark from a “bookmark file”. Therefore it was possible to import links such as javascript:alert(1) resulting in a stored XSS vulnerability.

The template system is now verifying whether a bookmark url starts with a supported protocol. If not http:// will be appended to the URL to avoid exploitability of such issues.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

• Lukas Reschke - ownCloud Inc. ([email protected]) - Vulnerability discovery and disclosure.