Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 10 Aug 2012 11:25:52 +0200
From: Bruno Kleinert <fuddl@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Possible data loss or data modification in ownCloud

Hi there,

I stumbled over a security bug in owncloud 4.0.5 and 4.0.4 as it is
packaged in Debian sid/unstable and wheezy/testing, with the result of
data loss or modification, depending on the configuration of owncloud.
Though I tested and reproduced this flaw only with the Debian packages,
an ownCloud developer confirmed that this bug is not Debian-specific.

It is possible for regular users of owncloud to overwrite files that are
shared read-only by another owncloud user via WebDAV.

To reproduce I did the following steps on Debian sid/unstable and also
wheezy/testing:
     1. Install owncloud packages
     2. Open http://localhost/owncloud and finish installation by
        creating an admin user
     3. Log in as admin user and create two regular users user1 and
        user2
     4. Log into owncloud as user1 and create an empty text file
     5. Share this file to user2 and leave the "can edit" checkbox
        unchecked as it is by default
     6. Log in via WebDAV as user2 (I used nautilus of GNOME 3)
     7. Navigate to the empty file, open, edit and save it
     8. user1's once empty file now contains the changes from user2

If version control is activated in ownCloud, user1 could revert the file
to its previous state, but if it's *not* activated, user1's data is
lost.

I contacted an ownCloud developer who sent me a patch, that was applied
to their development branch to address this issue. I had to adjust it a
little to make it apply against ownCloud 4.0.5 in Debian sid/unstable.
The patch should now be included in the latest Debian sid/unstable
owncloud 4.0.5debian2-2 package. I attach the adjusted patch to this
mail.

Best regards - Fuddl

View attachment "fix-webdav-security.diff" of type "text/x-patch" (1826 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.