TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0
2012-04-23T00:00:00
ID SECURITYVULNS:DOC:27954 Type securityvulns Reporter Securityvulns Modified 2012-04-23T00:00:00
Description
TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0
Published: 2012/04/18
Version 1.0
Affected products:
ownCloud version 3.0.0 (others not tested)
http://owncloud.org
References:
TC-SA-2012-01 www.tele-consulting.com/advisories/TC-SA-2012-01.txt
(used for updates)
CVE-2012-2269 - XSS in ownCloud 3.0.0
CVE-2012-2270 - Open Redirect in ownCloud 3.0.0
Summary:
"ownCloud gives you easy and universal access to all of your files.
It also provides a platform to easily view, sync and share your
contacts, calendars, bookmarks and files across all your devices.
ownCloud 3 brings loads of new features and hundreds of fixes"
reflected XSS:
- /files/download.php (file)
- /files/index.php (name, user, redirect_url)
open redirect after login:
- Login Page
Examples:
stored XSS:
- add a new contact and enter <script>alert("Help Me")</script> in
any field, save the contact
- add a new date in calendar with name <script>alert("Help
Me")</script>"
reflected XSS (un-authenticated):
-
http://$domain/owncloud/index.php?redirect_url=1"><script>alert("Help
Me")</script><l=" (must not be logged in)
Disclosure Timeline:
2012/02/01 vendor contacted via #owncloud on freenode IRC, got E-Mail
2012/02/01 vendor contacted via E-Mail
2012/02/02 vendor response
2012/04/16 asked vendor for status updates
2012/04/16 vendor status: patched with version 3.0.2
2012/04/18 public disclosure
Disclaimer:
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore Tele-Consulting shall
not be liable for any direct or indirect damages that might be
caused by using this information.
{"id": "SECURITYVULNS:DOC:27954", "bulletinFamily": "software", "title": "TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0", "description": "TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0\r\n\r\nPublished: 2012/04/18\r\nVersion 1.0\r\n\r\nAffected products:\r\n ownCloud version 3.0.0 (others not tested)\r\n http://owncloud.org\r\n\r\nReferences: \r\n TC-SA-2012-01 www.tele-consulting.com/advisories/TC-SA-2012-01.txt\r\n(used for updates)\r\n CVE-2012-2269 - XSS in ownCloud 3.0.0\r\n CVE-2012-2270 - Open Redirect in ownCloud 3.0.0\r\n \r\nSummary:\r\n "ownCloud gives you easy and universal access to all of your files.\r\n It also provides a platform to easily view, sync and share your \r\n contacts, calendars, bookmarks and files across all your devices.\r\n ownCloud 3 brings loads of new features and hundreds of fixes"\r\n\r\nVulnerable Scripts:\r\n stored XSS:\r\n - /apps/contacts/ajax/addcard.php (any input field)\r\n - /apps/contacts/ajax/addproperty.php (parameter)\r\n - /apps/contacts/ajax/createaddressbook (name)\r\n\r\n reflected XSS:\r\n - /files/download.php (file)\r\n - /files/index.php (name, user, redirect_url)\r\n \r\n open redirect after login:\r\n - Login Page\r\n\r\nExamples:\r\n stored XSS:\r\n - add a new contact and enter <script>alert("Help Me")</script> in\r\nany field, save the contact\r\n - add a new date in calendar with name <script>alert("Help\r\nMe")</script>"\r\n \r\n reflected XSS (un-authenticated):\r\n -\r\nhttp://$domain/owncloud/index.php?redirect_url=1"><script>alert("Help\r\nMe")</script><l=" (must not be logged in)\r\n\r\n open redirect after login:\r\n -\r\nhttp://$domain/owncloud/index.php?redirect_url=http%3a//www.boeserangreife\r\nr.de/\r\n\r\nPossible solutions:\r\n - update to OwnCloud 3.0.2\r\n\r\nDisclosure Timeline:\r\n 2012/02/01 vendor contacted via #owncloud on freenode IRC, got E-Mail\r\n 2012/02/01 vendor contacted via E-Mail\r\n 2012/02/02 vendor response \r\n 2012/04/16 asked vendor for status updates\r\n 2012/04/16 vendor status: patched with version 3.0.2\r\n 2012/04/18 public disclosure\r\n\r\nCredits:\r\n Tobias Glemser (tglemser@tele-consulting.com)\r\n Tele-Consulting security networking training GmbH, Germany\r\n www.tele-consulting.com\r\n \r\nDisclaimer:\r\n All information is provided without warranty. The intent is to \r\n provide information to secure infrastructure and/or systems, not\r\n to be able to attack or damage. Therefore Tele-Consulting shall \r\n not be liable for any direct or indirect damages that might be \r\n caused by using this information.\r\n", "published": "2012-04-23T00:00:00", "modified": "2012-04-23T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27954", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2012-2270", "CVE-2012-2269"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:44", "edition": 1, "viewCount": 6, "enchantments": {"score": {"value": 5.3, "vector": "NONE", "modified": "2018-08-31T11:10:44", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-2269", "CVE-2012-2270"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:111956"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103473"]}, {"type": "exploitdb", "idList": ["EDB-ID:37094"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12336"]}], "modified": "2018-08-31T11:10:44", "rev": 2}, "vulnersScore": 5.3}, "affectedSoftware": []}
{"cve": [{"lastseen": "2020-12-09T19:47:19", "description": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary field to apps/contacts/ajax/addcard.php, (2) the parameter parameter to apps/contacts/ajax/addproperty.php, (3) the name parameter to apps/contacts/ajax/createaddressbook, (4) the file parameter to files/download.php, or the (5) name, (6) user, or (7) redirect_url parameter to files/index.php.", "edition": 5, "cvss3": {}, "published": "2012-04-20T10:55:00", "title": "CVE-2012-2269", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2269"], "modified": "2018-01-04T02:29:00", "cpe": ["cpe:/a:owncloud:owncloud:3.0.1", "cpe:/a:owncloud:owncloud:3.0.0", "cpe:/a:owncloud:owncloud:3.0.2"], "id": "CVE-2012-2269", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2269", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:owncloud:owncloud:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:owncloud:owncloud:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:owncloud:owncloud:3.0.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:47:19", "description": "Open redirect vulnerability in index.php (aka the Login Page) in ownCloud before 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter.", "edition": 5, "cvss3": {}, "published": "2012-04-20T10:55:00", "title": "CVE-2012-2270", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2270"], "modified": "2018-01-04T02:29:00", "cpe": ["cpe:/a:owncloud:owncloud:3.0.1", "cpe:/a:owncloud:owncloud:3.0.0", "cpe:/a:owncloud:owncloud:3.0.2"], "id": "CVE-2012-2270", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2270", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:owncloud:owncloud:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:owncloud:owncloud:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:owncloud:owncloud:3.0.0:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:11:44", "description": "", "published": "2012-04-18T00:00:00", "type": "packetstorm", "title": "ownCloud 3.0.0 Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2270", "CVE-2012-2269"], "modified": "2012-04-18T00:00:00", "id": "PACKETSTORM:111956", "href": "https://packetstormsecurity.com/files/111956/ownCloud-3.0.0-Cross-Site-Scripting.html", "sourceData": "`TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0 \n \nPublished: 2012/04/18 \nVersion 1.0 \n \nAffected products: \nownCloud version 3.0.0 (others not tested) \nhttp://owncloud.org \n \nReferences: \nTC-SA-2012-01 www.tele-consulting.com/advisories/TC-SA-2012-01.txt \n(used for updates) \nCVE-2012-2269 - XSS in ownCloud 3.0.0 \nCVE-2012-2270 - Open Redirect in ownCloud 3.0.0 \n \nSummary: \n\"ownCloud gives you easy and universal access to all of your files. \nIt also provides a platform to easily view, sync and share your \ncontacts, calendars, bookmarks and files across all your devices. \nownCloud 3 brings loads of new features and hundreds of fixes\" \n \nVulnerable Scripts: \nstored XSS: \n- /apps/contacts/ajax/addcard.php (any input field) \n- /apps/contacts/ajax/addproperty.php (parameter) \n- /apps/contacts/ajax/createaddressbook (name) \n \nreflected XSS: \n- /files/download.php (file) \n- /files/index.php (name, user, redirect_url) \n \nopen redirect after login: \n- Login Page \n \nExamples: \nstored XSS: \n- add a new contact and enter <script>alert(\"Help Me\")</script> in \nany field, save the contact \n- add a new date in calendar with name <script>alert(\"Help \nMe\")</script>\" \n \nreflected XSS (un-authenticated): \n- \nhttp://$domain/owncloud/index.php?redirect_url=1\"><script>alert(\"Help \nMe\")</script><l=\" (must not be logged in) \n \nopen redirect after login: \n- \nhttp://$domain/owncloud/index.php?redirect_url=http%3a//www.boeserangreife \nr.de/ \n \nPossible solutions: \n- update to OwnCloud 3.0.2 \n \nDisclosure Timeline: \n2012/02/01 vendor contacted via #owncloud on freenode IRC, got E-Mail \n2012/02/01 vendor contacted via E-Mail \n2012/02/02 vendor response \n2012/04/16 asked vendor for status updates \n2012/04/16 vendor status: patched with version 3.0.2 \n2012/04/18 public disclosure \n \nCredits: \nTobias Glemser (tglemser@tele-consulting.com) \nTele-Consulting security networking training GmbH, Germany \nwww.tele-consulting.com \n \nDisclaimer: \nAll information is provided without warranty. The intent is to \nprovide information to secure infrastructure and/or systems, not \nto be able to attack or damage. Therefore Tele-Consulting shall \nnot be liable for any direct or indirect damages that might be \ncaused by using this information. \n`\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/111956/TC-SA-2012-01.txt"}], "openvas": [{"lastseen": "2020-05-12T17:29:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2270", "CVE-2012-2398", "CVE-2012-2269", "CVE-2012-2397"], "description": "ownCloud is prone to a URI open-redirection vulnerability,\n multiple cross-site scripting vulnerabilities and multiple HTML-injection vulnerabilities\n because it fails to properly sanitize user-supplied input.", "modified": "2020-05-08T00:00:00", "published": "2012-04-19T00:00:00", "id": "OPENVAS:1361412562310103473", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103473", "type": "openvas", "title": "ownCloud Multiple Input Validation Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# ownCloud Multiple Input Validation Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:owncloud:owncloud\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103473\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_bugtraq_id(53145);\n script_cve_id(\"CVE-2012-2269\", \"CVE-2012-2270\", \"CVE-2012-2397\", \"CVE-2012-2398\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-04-19 12:17:59 +0200 (Thu, 19 Apr 2012)\");\n script_name(\"ownCloud Multiple Input Validation Vulnerabilities\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_owncloud_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"owncloud/installed\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/53145\");\n script_xref(name:\"URL\", value:\"http://www.tele-consulting.com/advisories/TC-SA-2012-01.txt\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/522397\");\n\n script_tag(name:\"summary\", value:\"ownCloud is prone to a URI open-redirection vulnerability,\n multiple cross-site scripting vulnerabilities and multiple HTML-injection vulnerabilities\n because it fails to properly sanitize user-supplied input.\");\n\n script_tag(name:\"impact\", value:\"An attacker could leverage the cross-site scripting issues to execute\n arbitrary script code in the browser of an unsuspecting user in the context of the affected site.\n This may let the attacker steal cookie-based authentication credentials and launch other attacks.\n\n Attacker-supplied HTML and script code would run in the context of the affected browser, potentially\n allowing the attacker to steal cookie-based authentication credentials or control how the site is\n rendered to the user. Other attacks are also possible.\n\n Successful exploits may redirect a user to a potentially malicious site. This may aid in phishing attacks.\");\n\n script_tag(name:\"affected\", value:\"ownCloud 3.0.0 is vulnerable. Other versions may also be affected.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the reference for more details.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif(!port = get_app_port(cpe:CPE)) exit(0);\nif(!dir = get_app_location(cpe:CPE, port:port)) exit(0);\nif(dir == \"/\") dir = \"\";\nurl = string(dir, '/index.php?redirect_url=1\"><script>alert(/xss-test/)</script><l=\"');\n\nif(http_vuln_check(port:port, url:url,pattern:\"<script>alert\\(/xss-test/\\)</script>\", check_header:TRUE, extra_check:\"Powered by ownCloud\")) {\n report = http_report_vuln_url(port:port, url:url);\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-04T05:04:27", "description": "ownCloud 3.0.0 index.php redirect_url Parameter Arbitrary Site Redirect. CVE-2012-2270. Webapps exploit for php platform", "published": "2012-04-18T00:00:00", "type": "exploitdb", "title": "ownCloud 3.0.0 index.php redirect_url Parameter Arbitrary Site Redirect", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2270"], "modified": "2012-04-18T00:00:00", "id": "EDB-ID:37094", "href": "https://www.exploit-db.com/exploits/37094/", "sourceData": "source: http://www.securityfocus.com/bid/53145/info\r\n\r\nownCloud is prone to a URI open-redirection vulnerability, multiple cross-site scripting vulnerabilities and multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.\r\n\r\nAn attacker could leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.\r\n\r\nAttacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.\r\n\r\nSuccessful exploits may redirect a user to a potentially malicious site; this may aid in phishing attacks.\r\n\r\nownCloud 3.0.0 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/owncloud/index.php?redirect_url=1\"><script>alert(\"Help Me\")</script><l=\" (must not be logged in)\r\n\r\nhttp://www.example.com/owncloud/index.php?redirect_url=http%3a//www.boeserangreifer.de/ ", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/37094/"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:47", "bulletinFamily": "software", "cvelist": ["CVE-2012-1835", "CVE-2012-2270", "CVE-2012-0465", "CVE-2012-1622", "CVE-2012-2112", "CVE-2012-1621", "CVE-2012-1935", "CVE-2012-2269", "CVE-2012-0984", "CVE-2012-1933", "CVE-2012-1574", "CVE-2012-2226", "CVE-2012-1934"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2012-04-23T00:00:00", "published": "2012-04-23T00:00:00", "id": "SECURITYVULNS:VULN:12336", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12336", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
