Potential local file disclosure - ownCloud

ownCloud offers the OC_Util::getUrlContent() to developers. Using this function applications can download content from remote websites.

Due to a newly introduced bug in this functionality it was following redirects to other protocols such as file://. Thus, an attacker may be able to gain access to local files stored on the ownCloud instance.

Affected Software

• ownCloud Server < 7.0.3 (CVE-2014-9046)

Action Taken

OC_Util::getUrlContent() is now following only redirects to the HTTP and HTTPS protocols.
Some other functions have received further hardening as well to prevent potential bypasses of network restrictions. (In particular the “Download from URL” feature will not accept redirect to other protocols such as FTP anymore).

Those specific hardenings have been also applied to 6.0.6 and 5.0.18 but are not considered as security bugs by the ownCloud project.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

• Lukas Reschke - ownCloud Inc. ([email protected]) - Vulnerability discovery and disclosure.