TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0

2012-04-23T00:00:00
ID SECURITYVULNS:DOC:27954
Type securityvulns
Reporter Securityvulns
Modified 2012-04-23T00:00:00

Description

TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0

Published: 2012/04/18 Version 1.0

Affected products: ownCloud version 3.0.0 (others not tested) http://owncloud.org

References: TC-SA-2012-01 www.tele-consulting.com/advisories/TC-SA-2012-01.txt (used for updates) CVE-2012-2269 - XSS in ownCloud 3.0.0 CVE-2012-2270 - Open Redirect in ownCloud 3.0.0

Summary: "ownCloud gives you easy and universal access to all of your files. It also provides a platform to easily view, sync and share your contacts, calendars, bookmarks and files across all your devices. ownCloud 3 brings loads of new features and hundreds of fixes"

Vulnerable Scripts: stored XSS: - /apps/contacts/ajax/addcard.php (any input field) - /apps/contacts/ajax/addproperty.php (parameter) - /apps/contacts/ajax/createaddressbook (name)

reflected XSS:
 - /files/download.php (file)
 - /files/index.php (name, user, redirect_url)

open redirect after login:
 - Login Page

Examples: stored XSS: - add a new contact and enter <script>alert("Help Me")</script> in any field, save the contact - add a new date in calendar with name <script>alert("Help Me")</script>"

reflected XSS &#40;un-authenticated&#41;:
  -

http://$domain/owncloud/index.php?redirect_url=1"><script>alert("Help Me")</script><l=" (must not be logged in)

open redirect after login:
  -

http://$domain/owncloud/index.php?redirect_url=http%3a//www.boeserangreife r.de/

Possible solutions: - update to OwnCloud 3.0.2

Disclosure Timeline: 2012/02/01 vendor contacted via #owncloud on freenode IRC, got E-Mail 2012/02/01 vendor contacted via E-Mail 2012/02/02 vendor response 2012/04/16 asked vendor for status updates 2012/04/16 vendor status: patched with version 3.0.2 2012/04/18 public disclosure

Credits: Tobias Glemser (tglemser@tele-consulting.com) Tele-Consulting security networking training GmbH, Germany www.tele-consulting.com

Disclaimer: All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore Tele-Consulting shall not be liable for any direct or indirect damages that might be caused by using this information.