Due to trusting user supplied input and interpret it as Host header an attacker is able to craft a password reset mail with a link pointing to his own site. If a user clicks on the link or a software (e.g. antivirus) is accessing the link the attacker is able to reset the user password.
The new ‘trusted_domain’ setting has been introduced in which all domains from which ownCloud should be accessible has to be specified. A default configuration can be found in config/config.sample.php.
ownCloud will add this configuration setting on its own during an update or a fresh installation using the currently used domain.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
CPE | Name | Operator | Version |
---|---|---|---|
owncloud server | lt | 5.0.15 | |
owncloud server | lt | 6.0.2 |