The 'Import root certificate' ability that users are able to use once files_external is enabled allows users to import their own root certificates for connections. (e.g. server-to-server shares to servers using a self-signed certificate or external storages)
The functionality was using the PHP OpenSSL parsing functions for parsing these certificate files. Namely,
openssl_x509_parse. It turned out that these internally call
php_openssl_x509_from_zval which allow passing in a file:///
Therefore an attacker could pass a file beginning with
file:// and ownCloud would try to parse the corresponding file. This leads to a disclosure of arbitrary certificate files if the adversary can guess the correct path.
ownCloud is now preventing files that being with 'file://' from being parsed.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory: