Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 21 Feb 2013 19:09:27 +0100
From: Lukas Reschke <lukas@...cloud.org>
To: oss-security@...ts.openwall.com
Cc: "security@...cloud.com" <security@...cloud.com>
Subject: ownCloud Security Advisories (2013-003, 2013-004, 2013-005, 2013-006, 2013-007)

# Multiple XSS vulnerabilities (oC-SA-2013-003)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-003/

## CVE IDENTIFIERS
- CVE-2013-0297, CVE-2013-0307 (4.0 & 4.5)
- CVE-2013-0298 (4.5)

## AFFECTED SOFTWARE
- ownCloud Server < 4.5.7
- ownCloud Server < 4.0.12

## DESCRIPTION
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.6
and 4.0.11 and all prior versions allow remote attackers to inject
arbitrary web script or HTML via

- the "site_name" and "site_url" POST parameters to setsites.php in
/apps/external/ajax/ (CVE-2013-0297
  - Commits:  e0140a (stable45), 1fbb89a (stable4)
  - Risk: Low
  - Note: Successful exploitation of this stored XSS requires the
"external" app to be enabled (disabled by default) and administrator
privileges.
- the group input field to settings.php (CVE-2013-0307)
  - Commits:  e2faa92 (stable45), 57f40b2 (stable4)
  - Risk: Low
  - Note: Successful exploitation of this DOM based self XSS requires
administrator privileges.

Multiple cross-site scripting (XSS) vulnerability in ownCloud 4.5.6
and all prior versions (except 4.0.x) allow remote attackers to inject
arbitrary web script or HTML via

- the import of a specially crafted iCalendar file via the calendar
application (CVE-2013-0298)
  - Commits: 6608da2 (stable45)
  - Risk: High
  - Note: Successful exploitation of this stored XSS requires the
"calendar" app to be enabled (enabled by default), an attacker may be
able to share this crafted event with other users.
- the "dir" and "file" GET parameter to viewer.php in
/apps/files_pdfviewer/ (CVE-2013-0298)
  - Commits: 04cbec7 (stable45)
  - Risk: Medium
  - Note: Successful exploitation of this reflected XSS requires the
"files_pdfviewer" app to be enabled (enabled by default).
- the "mountpoint" POST parameter to addMountPoint.php in
/apps/files_external/ (CVE-2013-0298)
  - Commits: / (stable45)
  - Risk: Low
  - Note: Successful exploitation of this reflected XSS requires the
"files_external" app to be enabled (disabled by default).

## Credits
The ownCloud Team would like to thank Sabari Selvan
(http://www.ehackingnews.com) for discovering a XSS vulnerability
(CVE-2013-0307).</p>

## RESOLUTION
Update to ownCloud Server 4.5.7 or 4.0.12
http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2
http://mirrors.owncloud.org/releases/owncloud-4.0.12.tar.bz2

---------------------------------------

# Multiple CSRF vulnerabilities (oC-SA-2013-004)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-004/

## CVE IDENTIFIERS
- CVE-2013-0299 (4.0 & 4.5)
- CVE-2013-0300 (4.5)
- CVE-2013-0301 (4.0)

## AFFECTED SOFTWARE
- ownCloud Server < 4.5.7
- ownCloud Server < 4.0.12

## DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud
4.5.6 and 4.0.11 and all prior versions before allows remote attackers
to hijack the authentication for users via

- the "lat" and "lng" POST parameters to guesstimezone.php in
/apps/calendar/ajax/settings/ (CVE-2013-0299)
  - Commits:  452a626 (stable45), 015ac6a (stable4)
  - Risk: Negligible
  - Note: Successful exploitation of this CSRF requires the "calendar"
app to be enabled (enabled by default).
  - Impact: An attacker may be able to change the timezone of the user.
- the "timezonedetection" POST parameter to timezonedetection.php in
/apps/calendar/ajax/settings/ (CVE-2013-0299)
  - Commits:  452a626 (stable45), 97d0cee (stable4)
  - Risk: Negligible
  - Note: Successful exploitation of this CSRF requires the "calendar"
app to be enabled (enabled by default).
  - Impact: An attacker may be able to disable or enable the automatic
timezone detection.
- the "admin_export" POST parameter to settings.php in
/apps/admin_migrate/ (CVE-2013-0299)

  - Commits: bc93744 (stable45), 28dc89e (stable4)
  - Risk: Moderate
  - Note: Successful exploitation of this CSRF requires the
"admin_migrate" app to be enabled (disabled by default).
  - Impact: An attacker may be able to import an user account.
- the "operation" POST parameter to export.php in
/apps/user_migrate/ajax/ (CVE-2013-0299)
  - Commits: 2de405a (stable45), de9befd (stable4)
  - Risk: Moderate
  - Note: Successful exploitation of this CSRF requires the
"user_migrate" app to be enabled (disabled by default).
  - Impact: An attacker may be able to overwrite files of the logged in user.
- multiple unspecified POST parameters to settings.php in
/apps/user_ldap/ (CVE-2013-0299)
  - Commits: 5ec272d (stable45), b966095 (stable4)
  - Risk: High
  - Note: Successful exploitation of this CSRF requires the
"user_ldap" app to be enabled (disabled by default).
  - Impact: An attacker may be able to change the authentication server URL.

Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud
4.5.6 and all prior versions (except 4.0.x) allows remote attackers to
hijack the authentication for users via

- the "v" POST parameter to changeview.php in /apps/calendar/ajax/
(CVE-2013-0300)
  - Commits:  452a626 (stable45)
  - Risk: Negligible
  - Note: Successful exploitation of this CSRF requires the "calendar"
app to be enabled (enabled by default).
  - Impact: An attacker may be able to change the default view of an user.
- multiple unspecified parameters to addRootCertificate.php,
dropbox.php and google.php in /apps/files_external/ajax/
(CVE-2013-0300)
  - Commits:  2e819d6 (stable45)
  - Risk: Medium
  - Note: Successful exploitation of this CSRF requires the
"files_external" app to be enabled (disabled by default).
  - Impact: An attacker may be able to mount arbitrary Google Drive or
Dropbox folders to the internal filesystem.
- multiple unspecified POST parameters to settings.php in
/apps/user_webdavauth/ (CVE-2013-0300)
  - Commits: 9282641 (stable45)
  - Risk: High
  - Note: Successful exploitation of this CSRF requires the
"user_webdavauth" app to be enabled (disabled by default).
  - Impact: An attacker may be able to change the authentication server URL.

A cross-site request forgery (CSRF) vulnerability in ownCloud 4.0.11
and all prior versions allows remote attackers to hijack the
authentication for users via

- the "timezone" POST parameter to settimezone.php in
/apps/calendar/ajax/settings/ (CVE-2013-0301)
  - Commits:  452a626 (stable45)
  - Risk: Negligible
  - Note: Successful exploitation of this CSRF requires the "calendar"
app to be enabled (enabled by default).
  - Impact: An attacker may be able to change the timezone of an user.

## RESOLUTION
Update to ownCloud Server 4.5.7 or 4.0.12
http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2
http://mirrors.owncloud.org/releases/owncloud-4.0.12.tar.bz2

---------------------------------------

# Information disclosure (oC-SA-2013-005)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-005/

## CVE IDENTIFIER
- CVE-2013-0302

## AFFECTED SOFTWARE
- ownCloud Server < 4.5.7

## RISK
Low

## Commits
- c67261fe (stable45)

## DESCRIPTION
Due to the inclusion of the Amazon SDK testing suite an
unauthenticated attacker is able to gain additional informations about
the server including:

- the PHP version
- the cURL version
- informations wether the following functions/modules are available:
  - SimpleXML
  - DOM
  - SPL
  - JSON
  - PCRE
  - File System Read/Write
  - OpenSSL
  - Zlib
  - APC
  - XCache
  - Memcache
  - Memcached
  - PDO
  - PDO-SQLite
  - SQLite 2
  - SQLite 3
- the following PHP settings:
  - open_basedir
  - safe_mode
  - zend.enable_gc
- the server architecture (32bit/64bit)

## RESOLUTION
Update to ownCloud Server 4.5.7
http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2

---------------------------------------

# Multiple code executions (oC-SA-2013-006)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-006/

## CVE IDENTIFIER
- CVE-2013-0303

## AFFECTED SOFTWARE
- ownCloud Server < 4.5.7
- ownCloud Server < 4.0.12

## RISK
Critical

## DESCRIPTION
A code executions vulnerability in ownCloud 4.5.6 and 4.0.11 and all
prior versions allow authenticated remote attackers to execute
arbitrary PHP code via

- unspecified POST parameters to translations.php in /core/ajax/
  - Commits: 74e73bc (stable4), ece08cd (stable45)
  - Risk: Critical

A code executions vulnerability in ownCloud 4.5.6 and all prior
versions (except ownCloud 4.0.x) allow authenticated remote attackers
to execute arbitrary PHP code via

- unspecified POST parameters to settings.php in /core/
  - Commits: 746aa0 (stable45)
  - Risk: Critical

## RESOLUTION
Update to ownCloud Server 4.5.7 or 4.0.12
http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2
http://mirrors.owncloud.org/releases/owncloud-4.0.12.tar.bz2

---------------------------------------

# Privilege escalation in the calendar application (oC-SA-2013-007)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-007/

## CVE IDENTIFIER
- CVE-2013-0304

## AFFECTED SOFTWARE
- ownCloud Server < 4.5.7

## RISK
High

## COMMIT
- d4802d8 (stable45)

## DESCRIPTION
Due to not properly checking the ownership of an calendar, an
authenticated attacker is able to download calendars of other users
via the "calid" GET parameter to export.php in /apps/calendar/

Note: Successful exploitation of this CSRF requires the "calendar" app
to be enabled (enabled by default).

## CREDITS
The ownCloud Team would like to thank Romain Severin
(http://www.intrinsec.com/) for discovering this vulnerability.

## RESOLUTION
Update to ownCloud Server 4.5.7
http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2

--
ownCloud
Your Cloud, Your Data, Your Way!

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.