Improper authorization checks in core - ownCloud

2014-05-24T18:29:35
ID OWNCLOUD:EB9BDEB85AACE7674876FD8C3DC4B44D
Type owncloud
Reporter Eddy Xu (flyingtest09@gmail.com) – Vulnerability discovery and disclosure., Robin Appelmann – ownCloud Inc. (icewind@owncloud.com) – Investigating the affected components and providing a patch., Lukas Reschke – ownCloud Inc. (lukas@owncloud.org) – Coordinating the patches.
Modified 2018-01-03T19:17:59

Description

Due to an improper authorization check in core an attacker with access to at least two user account is able to access the file names of other users.

Our post-mortem audit showed that this vulnerability does not leak any content of the file or the directory structure except the filename.

Affected Software

  • ownCloud Server < 6.0.3 (CVE-2014-3838)
  • ownCloud Server < 5.0.16 (CVE-2014-3838)

Action Taken

We added a permission check whether the account is allowed to share the specified file.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Eddy Xu (flyingtest09@gmail.com) - Vulnerability discovery and disclosure.
  • Robin Appelmann - ownCloud Inc. (icewind@owncloud.com) - Investigating the affected components and providing a patch.
  • Lukas Reschke - ownCloud Inc. (lukas@owncloud.org) - Coordinating the patches.