PHP arbitrary class instantiation in "files_external" - ownCloud

A user may instantiate arbitrary ownCloud classes due to a lack of a proper check of the mount point options provided by a user via the web front end. These may include constructor arguments and could potentially lead to a remote code execution.

Affected Software

• ownCloud Server < 8.1.2 (CVE-2015-7699)
  • core/a1706f61aaf822aeba4ea9e84b53c5cea984f8e4
• ownCloud Server < 8.0.7 (CVE-2015-7699)
  • core/595381b9bd5676492ff8957de0590982ed1864a4
• ownCloud Server < 7.0.9 (CVE-2015-7699)
  • core/b05e178bbf884b120d1106e6a28f35aa50d6d06f

Action Taken

The mount points are now properly validated in the controller before being stored.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

• Robin McCorkell - ownCloud Inc. ([email protected]) - Vulnerability discovery and disclosure.