Disclosure of arbitrary certificate files - ownCloud

2016-07-13T18:59:46
ID OWNCLOUD:7EFABDC3C3315C006BE5F5C6692E692F
Type owncloud
Reporter Lukas Reschke – Vulnerability discovery and disclosure.
Modified 2018-01-03T19:00:22

Description

The 'Import root certificate' ability that users are able to use once files_external is enabled allows users to import their own root certificates for connections. (e.g. server-to-server shares to servers using a self-signed certificate or external storages)
The functionality was using the PHP OpenSSL parsing functions for parsing these certificate files. Namely, openssl_pkey_get_public and openssl_x509_parse. It turned out that these internally call php_openssl_x509_from_zval which allow passing in a file:///
Therefore an attacker could pass a file beginning with file:// and ownCloud would try to parse the corresponding file. This leads to a disclosure of arbitrary certificate files if the adversary can guess the correct path.

Affected Software

Action Taken

ownCloud is now preventing files that being with 'file://' from being parsed.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke - Vulnerability discovery and disclosure.