ownCloud, an open-source file sync and sharing solution, has recently issued warnings about three critical-severity security vulnerabilities. These vulnerabilities pose significant risks, including the exposure of administrator passwords and mail server credentials. ownCloud is a popular choice for individuals and organizations who prefer to manage and share files through a self-hosted platform, maintaining control over their data rather than relying on third-party cloud storage providers.
With 200,000 installs, 600 enterprise customers, and 200 million users, ownCloud is widely used by businesses, educational institutes, government agencies, and privacy-conscious individuals. The software is comprised of multiple libraries and components that work together to provide various functionalities for the cloud storage platform.
The first vulnerability, tracked as CVE-2023-49103, has received a maximum CVSS v3 score of 10. This flaw can be exploited to steal credentials and configuration information in containerized deployments, affecting all environment variables of the webserver. The issue arises from the app’s dependency on a third-party library that exposes PHP environment details through a URL, potentially exposing sensitive information such as ownCloud admin passwords, mail server credentials, and license keys.
To mitigate this vulnerability, it is recommended to delete the ‘owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php’ file, disable the ‘phpinfo’ function in Docker containers, and change potentially exposed secrets like the ownCloud admin password, mail server, database credentials, and Object-Store/S3 access keys. It is important to note that simply disabling the graphapi app does not eliminate the vulnerability, as phpinfo exposes other potentially sensitive configuration details that could be exploited by attackers.
The second vulnerability, with a CVSS v3 score of 9.8, affects ownCloud core library versions 10.6.0 to 10.13.0 and is an authentication bypass problem. Attackers can access, modify, or delete any file without authentication if they know the user’s username and the user has not configured a signing-key (default setting). The recommended solution is to deny the use of pre-signed URLs if no signing key is configured for the owner of the files.
The third vulnerability, with a CVSS v3 score of 9, is a subdomain validation bypass issue affecting all versions of the oauth2 library below 0.6.1. In the oauth2 app, an attacker can input a specially crafted redirect URL that bypasses the validation code, allowing redirection of callbacks to a domain controlled by the attacker. To mitigate this vulnerability, it is recommended to harden the validation code in the Oauth2 app or temporarily disable the “Allow Subdomains” option.
These three security flaws pose significant risks to the security and integrity of the ownCloud environment. If left unaddressed, they could lead to the exposure of sensitive information, stealthy data theft, and phishing attacks. It is crucial for ownCloud administrators to promptly apply the recommended fixes and perform library updates to mitigate these risks.
File-sharing platforms have been increasingly targeted by malicious actors, with ransomware groups like CLOP exploiting them in data theft attacks on numerous companies worldwide. Given this threat landscape, it is imperative for ownCloud administrators to prioritize the security of their deployments and take immediate action to address these vulnerabilities.
[…] within the widely used open-source file synchronization and sharing solution, ownCloud. The severity of this flaw cannot be understated, with a maximum CVSS severity score of 10.0. The exploit allows remote threat […]