Disclosure of users files when deleting parent folders of shared files - ownCloud

Due to a common incorrect usage of the getPath function of the ownCloud virtual filesystem multiple security issues occurred. Especially the function may return null in case the specified file does not exist anymore. When passing the result of getPath in combination with null to functions that setup a virtual chroot or other security relevant limitations PHP would typecast the return value to an empty string and thus effectively bypassing the internal security functions of ownCloud.

getPath with a return type of null is a common occurrence in case a folder has been shared publicly and the parent item has been deleted later from the database. Due to missing foreign keys the share is still considered valid and will finally resolve to the users’ root directory.

In such cases an adversary with knowledge of the sharing link to a deleted item may be able to access all files of the user and not only the original shared directory.

Affected Software

• ownCloud Server < 7.0.7 (CVE-2015-5954)
• ownCloud Server < 8.0.5 (CVE-2015-5954)
• ownCloud Server < 6.0.9 (CVE-2015-5954)

Action Taken

All usages of the getPath function has been revised and corrected.

Furthermore, ownCloud 8.2 will feature another security hardening where instead of returning null for invalid files now an exception is thrown. In case of an exception ownCloud will stop the script execution and also static source code analysis will make developers aware of such situations.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

• Lukas Reschke - ownCloud Inc. ([email protected]) - Vulnerability discovery and disclosure.