Date: Fri, 10 Aug 2012 11:25:52 +0200 From: Bruno Kleinert <fuddl@...ian.org> To: oss-security@...ts.openwall.com Subject: Possible data loss or data modification in ownCloud Hi there, I stumbled over a security bug in owncloud 4.0.5 and 4.0.4 as it is packaged in Debian sid/unstable and wheezy/testing, with the result of data loss or modification, depending on the configuration of owncloud. Though I tested and reproduced this flaw only with the Debian packages, an ownCloud developer confirmed that this bug is not Debian-specific. It is possible for regular users of owncloud to overwrite files that are shared read-only by another owncloud user via WebDAV. To reproduce I did the following steps on Debian sid/unstable and also wheezy/testing: 1. Install owncloud packages 2. Open http://localhost/owncloud and finish installation by creating an admin user 3. Log in as admin user and create two regular users user1 and user2 4. Log into owncloud as user1 and create an empty text file 5. Share this file to user2 and leave the "can edit" checkbox unchecked as it is by default 6. Log in via WebDAV as user2 (I used nautilus of GNOME 3) 7. Navigate to the empty file, open, edit and save it 8. user1's once empty file now contains the changes from user2 If version control is activated in ownCloud, user1 could revert the file to its previous state, but if it's *not* activated, user1's data is lost. I contacted an ownCloud developer who sent me a patch, that was applied to their development branch to address this issue. I had to adjust it a little to make it apply against ownCloud 4.0.5 in Debian sid/unstable. The patch should now be included in the latest Debian sid/unstable owncloud 4.0.5debian2-2 package. I attach the adjusted patch to this mail. Best regards - Fuddl View attachment "fix-webdav-security.diff" of type "text/x-patch" (1826 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.