ownCloud offers the OC_Util::getUrlContent()
to developers. Using this function applications can download content from remote websites.
Due to a newly introduced bug in this functionality it was following redirects to other protocols such as file://
. Thus, an attacker may be able to gain access to local files stored on the ownCloud instance.
OC_Util::getUrlContent()
is now following only redirects to the HTTP
and HTTPS
protocols.
Some other functions have received further hardening as well to prevent potential bypasses of network restrictions. (In particular the “Download from URL” feature will not accept redirect to other protocols such as FTP anymore).
Those specific hardenings have been also applied to 6.0.6 and 5.0.18 but are not considered as security bugs by the ownCloud project.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
CPE | Name | Operator | Version |
---|---|---|---|
owncloud server | lt | 7.0.3 |