TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0
Published: 2012/04/18 Version 1.0
Affected products: ownCloud version 3.0.0 (others not tested) http://owncloud.org
References: TC-SA-2012-01 www.tele-consulting.com/advisories/TC-SA-2012-01.txt (used for updates) CVE-2012-2269 - XSS in ownCloud 3.0.0 CVE-2012-2270 - Open Redirect in ownCloud 3.0.0
Summary: "ownCloud gives you easy and universal access to all of your files. It also provides a platform to easily view, sync and share your contacts, calendars, bookmarks and files across all your devices. ownCloud 3 brings loads of new features and hundreds of fixes"
Vulnerable Scripts: stored XSS: - /apps/contacts/ajax/addcard.php (any input field) - /apps/contacts/ajax/addproperty.php (parameter) - /apps/contacts/ajax/createaddressbook (name)
reflected XSS: - /files/download.php (file) - /files/index.php (name, user, redirect_url) open redirect after login: - Login Page
Examples: stored XSS: - add a new contact and enter <script>alert("Help Me")</script> in any field, save the contact - add a new date in calendar with name <script>alert("Help Me")</script>"
reflected XSS (un-authenticated): -
http://$domain/owncloud/index.php?redirect_url=1"><script>alert("Help Me")</script><l=" (must not be logged in)
open redirect after login: -
Possible solutions: - update to OwnCloud 3.0.2
Disclosure Timeline: 2012/02/01 vendor contacted via #owncloud on freenode IRC, got E-Mail 2012/02/01 vendor contacted via E-Mail 2012/02/02 vendor response 2012/04/16 asked vendor for status updates 2012/04/16 vendor status: patched with version 3.0.2 2012/04/18 public disclosure
Credits: Tobias Glemser (email@example.com) Tele-Consulting security networking training GmbH, Germany www.tele-consulting.com
Disclaimer: All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore Tele-Consulting shall not be liable for any direct or indirect damages that might be caused by using this information.