From 80da26839e1cd18095bc9d1fe90daff4e782466f Mon Sep 17 00:00:00 2001 From: Peter Prochaska Date: Fri, 11 Nov 2016 07:57:35 +0100 Subject: [PATCH] fixed number confusion --- advisories/advisories.rss | 28 +++++++++++++--------- advisories/advisory-side.php | 10 ++++---- advisories/oc-sa-2016-017.php | 28 ++++++++++++---------- advisories/oc-sa-2016-018.php | 19 ++++++++------- advisories/oc-sa-2016-019.php | 22 ++++++++--------- advisories/oc-sa-2016-020.php | 16 ++++++------- advisories/oc-sa-2016-021.php | 42 +++++++++++++++++++++++++++++++++ advisories/server-list-part.php | 22 ++++++++--------- 8 files changed, 120 insertions(+), 67 deletions(-) create mode 100644 advisories/oc-sa-2016-021.php diff --git a/advisories/advisories.rss b/advisories/advisories.rss index 46d1e2c60..6b7b61ddb 100644 --- a/advisories/advisories.rss +++ b/advisories/advisories.rss @@ -5,35 +5,41 @@ https://owncloud.org/security/advisories/ The ownCloud security advisories as a RSS feed 1800 - Server: Content-Spoofing in "dav" app (oC-SA-2016-020) - <p>The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.</p><br/><hr/><p><strong><a href="https://owncloud.org/security/advisory/?id=oC-SA-2016-020">For more information please consult the official advisory.</a></strong></p> + Server: Content-Spoofing in "dav" app (oC-SA-2016-021) + <p>The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.</p><br/><hr/><p><strong><a href="https://owncloud.org/security/advisory/?id=oC-SA-2016-021">For more information please consult the official advisory.</a></strong></p> + https://owncloud.org/security/advisory/?id=oC-SA-2016-021 + https://owncloud.org/security/advisory/?id=oC-SA-2016-021 + Thu, 10 Nov 2016 11:59:16 +0100 + + Server: Content-Spoofing in "files" app (oC-SA-2016-020) + <p>The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.</p><br/><hr/><p><strong><a href="https://owncloud.org/security/advisory/?id=oC-SA-2016-020">For more information please consult the official advisory.</a></strong></p> https://owncloud.org/security/advisory/?id=oC-SA-2016-020 https://owncloud.org/security/advisory/?id=oC-SA-2016-020 Thu, 10 Nov 2016 11:59:16 +0100 - Server: Content-Spoofing in "files" app (oC-SA-2016-019) - <p>The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.</p><br/><hr/><p><strong><a href="https://owncloud.org/security/advisory/?id=oC-SA-2016-019">For more information please consult the official advisory.</a></strong></p> + Server: Reflected XSS in Gallery application (oC-SA-2016-019) + <p>The gallery app was not properly sanitizing exception messages from the ownCloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability.</p><br/><hr/><p><strong><a href="https://owncloud.org/security/advisory/?id=oC-SA-2016-019">For more information please consult the official advisory.</a></strong></p> https://owncloud.org/security/advisory/?id=oC-SA-2016-019 https://owncloud.org/security/advisory/?id=oC-SA-2016-019 Thu, 10 Nov 2016 11:59:16 +0100 - Server: Reflected XSS in Gallery application (oC-SA-2016-018) - <p>The gallery app was not properly sanitizing exception messages from the ownCloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability.</p><br/><hr/><p><strong><a href="https://owncloud.org/security/advisory/?id=oC-SA-2016-018">For more information please consult the official advisory.</a></strong></p> + Server: Stored XSS in CardDAV image export (oC-SA-2016-018) + <p>The CardDAV image export functionality as implemented in ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.</p><p><b>Note:</b>ownCloud employs a very strict Content Security Policy on the DAV endpoints. This is thus only exploitable on browsers that don't support Content Security Policy.</p><br/><hr/><p><strong><a href="https://owncloud.org/security/advisory/?id=oC-SA-2016-018">For more information please consult the official advisory.</a></strong></p> https://owncloud.org/security/advisory/?id=oC-SA-2016-018 https://owncloud.org/security/advisory/?id=oC-SA-2016-018 Thu, 10 Nov 2016 11:59:16 +0100 - Server: Stored XSS in CardDAV image export (oC-SA-2016-017) - <p>The CardDAV image export functionality as implemented in ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.</p><p><b>Note:</b>ownCloud employs a very strict Content Security Policy on the DAV endpoints. This is thus only exploitable on browsers that don't support Content Security Policy.</p><br/><hr/><p><strong><a href="https://owncloud.org/security/advisory/?id=oC-SA-2016-017">For more information please consult the official advisory.</a></strong></p> + Server: SMB User Authentication Bypass (oC-SA-2016-017) + <p>ownCloud includes an optional and not by default enabled SMB authentication component that allows to authenticate users against an SMB server. This backend is implemented in a way that it tries to connect to a SMB server and if that succeeded consider the user logged-in. The backend did not properly take into account SMB servers that any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials.</p><p><b>Note:</b> The SMB backend is disabled by default and requires manual configuration in the ownCloud config file. If you have not configured the SMB backend then you're not affected by this vulnerability.</p><br/><hr/><p><strong><a href="https://owncloud.org/security/advisory/?id=oC-SA-2016-017">For more information please consult the official advisory.</a></strong></p> https://owncloud.org/security/advisory/?id=oC-SA-2016-017 https://owncloud.org/security/advisory/?id=oC-SA-2016-017 Thu, 10 Nov 2016 11:59:16 +0100 - Server: SMB User Authentication Bypass (oC-SA-2016-016) - <p>ownCloud includes an optional and not by default enabled SMB authentication component that allows to authenticate users against an SMB server. This backend is implemented in a way that it tries to connect to a SMB server and if that succeeded consider the user logged-in. The backend did not properly take into account SMB servers that any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials.</p><p><b>Note:</b> The SMB backend is disabled by default and requires manual configuration in the ownCloud config file. If you have not configured the SMB backend then you're not affected by this vulnerability.</p><br/><hr/><p><strong><a href="https://owncloud.org/security/advisory/?id=oC-SA-2016-016">For more information please consult the official advisory.</a></strong></p> + Desktop Client: Local Code Injection (oC-SA-2016-016) + <p>The ownCloud Client was vunerable to a local code injection attack. A malicious local user could create a special path where the client would load libraries from during startup. As on Windows, everyone by default has the permission to write to the <code>C:</code> drive and create arbitrary directories and subdirectories, this attack is practically feasible in any non-hardened Windows environment. This could lead to injecting code into other users' ownCloud Client.</p><br/><hr/><p><strong><a href="https://owncloud.org/security/advisory/?id=oC-SA-2016-016">For more information please consult the official advisory.</a></strong></p> https://owncloud.org/security/advisory/?id=oC-SA-2016-016 https://owncloud.org/security/advisory/?id=oC-SA-2016-016 - Thu, 10 Nov 2016 11:59:16 +0100 + Wed, 17 Aug 2016 17:37:31 +0200 Server: Read-only share recipient can restore old versions of file (oC-SA-2016-015) <p>The restore capability of ownCloud was not verifying whether an user has only read-only access to a share. Thus an user with read-only access was able to restore old versions.</p><br/><hr/><p><strong><a href="https://owncloud.org/security/advisory/?id=oC-SA-2016-015">For more information please consult the official advisory.</a></strong></p> diff --git a/advisories/advisory-side.php b/advisories/advisory-side.php index c89dba348..463119557 100644 --- a/advisories/advisory-side.php +++ b/advisories/advisory-side.php @@ -1,9 +1,9 @@

ownCloud server 9.1.2

-SMB User Authentication Bypass
-Stored XSS in CardDAV image export
-Reflected XSS in Gallery application
-Content-Spoofing in "files" app
-Content-Spoofing in "dav" app
+SMB User Authentication Bypass
+Stored XSS in CardDAV image export
+Reflected XSS in Gallery application
+Content-Spoofing in "files" app
+Content-Spoofing in "dav" app

ownCloud desktop 2.2.3

Local Code Injection

ownCloud mobile iOS 3.4.4

diff --git a/advisories/oc-sa-2016-017.php b/advisories/oc-sa-2016-017.php index f70e68fb1..c57f9b116 100644 --- a/advisories/oc-sa-2016-017.php +++ b/advisories/oc-sa-2016-017.php @@ -9,35 +9,39 @@
-

Stored XSS in CardDAV image export (oC-SA-2016-017)

+

SMB User Authentication Bypass (oC-SA-2016-017)

10th November 2016

-

Risk level: Medium

-

CVSS v3 Base Score: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

-

CWE: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

-

HackerOne report: 163338

+

Risk level: High

+

CVSS v3 Base Score: 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

+

CWE: Incorrect Implementation of Authentication Algorithms (CWE-303)

+

HackerOne report: 148151

Description

-

The CardDAV image export functionality as implemented in ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.

-

Note:ownCloud employs a very strict Content Security Policy on the DAV endpoints. This is thus only exploitable on browsers that don't support Content Security Policy.

+

ownCloud includes an optional and not by default enabled SMB authentication component that allows to authenticate users against an SMB server. This backend is implemented in a way that it tries to connect to a SMB server and if that succeeded consider the user logged-in. The backend did not properly take into account SMB servers that any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials.

+

Note: The SMB backend is disabled by default and requires manual configuration in the ownCloud config file. If you have not configured the SMB backend then you're not affected by this vulnerability.

Affected Software

Action Taken

-

The mimetype of the exported image is now compared with a whitelist as well as download disposition headers have been set on the response.

+

The SMB backend is now performing an additional authentication attempt with invalid credentials. If that succeeds as well it assumes that anonymous authentications are enabled and denies the login attempt.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

-
This advisory is licensed CC BY-SA 4.0. Original source: nextcloud.com +
This advisory is licensed CC BY-SA 4.0. Original source: nextcloud.com
diff --git a/advisories/oc-sa-2016-018.php b/advisories/oc-sa-2016-018.php index 06416c60e..e0dc44d55 100644 --- a/advisories/oc-sa-2016-018.php +++ b/advisories/oc-sa-2016-018.php @@ -9,34 +9,35 @@
-

Reflected XSS in Gallery application (oC-SA-2016-018)

+

Stored XSS in CardDAV image export (oC-SA-2016-018)

10th November 2016

Risk level: Medium

-

CVSS v3 Base Score: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

+

CVSS v3 Base Score: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CWE: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

-

HackerOne report: 165686

+

HackerOne report: 163338

Description

-

The gallery app was not properly sanitizing exception messages from the ownCloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability.

+

The CardDAV image export functionality as implemented in ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.

+

Note:ownCloud employs a very strict Content Security Policy on the DAV endpoints. This is thus only exploitable on browsers that don't support Content Security Policy.

Affected Software

Action Taken

-

Error messages are now properly sanitized.

+

The mimetype of the exported image is now compared with a whitelist as well as download disposition headers have been set on the response.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

-
This advisory is licensed CC BY-SA 4.0. Original source: nextcloud.com +
This advisory is licensed CC BY-SA 4.0. Original source: nextcloud.com
diff --git a/advisories/oc-sa-2016-019.php b/advisories/oc-sa-2016-019.php index 18166a4fd..33210aeb8 100644 --- a/advisories/oc-sa-2016-019.php +++ b/advisories/oc-sa-2016-019.php @@ -9,34 +9,34 @@
-

Content-Spoofing in "files" app (oC-SA-2016-019)

+

Reflected XSS in Gallery application (oC-SA-2016-019)

10th November 2016

-

Risk level: Low

-

CVSS v3 Base Score: 3.1 (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)

-

CWE: User Interface (UI) Misrepresentation of Critical Information (CWE-451)

-

HackerOne report: 154827

+

Risk level: Medium

+

CVSS v3 Base Score: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

+

CWE: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

+

HackerOne report: 165686

Description

-

The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.

+

The gallery app was not properly sanitizing exception messages from the ownCloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability.

Affected Software

Action Taken

-

The passed parameter is now verified.

+

Error messages are now properly sanitized.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

-
This advisory is licensed CC BY-SA 4.0. Original source: nextcloud.com +
This advisory is licensed CC BY-SA 4.0. Original source: nextcloud.com
diff --git a/advisories/oc-sa-2016-020.php b/advisories/oc-sa-2016-020.php index 1f49dde5c..c65856d39 100644 --- a/advisories/oc-sa-2016-020.php +++ b/advisories/oc-sa-2016-020.php @@ -9,34 +9,34 @@
-

Content-Spoofing in "dav" app (oC-SA-2016-020)

+

Content-Spoofing in "files" app (oC-SA-2016-020)

10th November 2016

Risk level: Low

CVSS v3 Base Score: 3.1 (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)

CWE: User Interface (UI) Misrepresentation of Critical Information (CWE-451)

-

HackerOne report: 149798

+

HackerOne report: 154827

Description

-

The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.

+

The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.

Affected Software

Action Taken

-

The user-controlled content has been removed from the exception message.

+

The passed parameter is now verified.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

-
This advisory is licensed CC BY-SA 4.0. Original source: nextcloud.com +
This advisory is licensed CC BY-SA 4.0. Original source: nextcloud.com
diff --git a/advisories/oc-sa-2016-021.php b/advisories/oc-sa-2016-021.php new file mode 100644 index 000000000..ffa8c7c74 --- /dev/null +++ b/advisories/oc-sa-2016-021.php @@ -0,0 +1,42 @@ +
+
+

Security Advisory

+ Back to advisories +
+
+
+
+ +
+
+

Content-Spoofing in "dav" app (oC-SA-2016-021)

+

10th November 2016

+

Risk level: Low

+

CVSS v3 Base Score: 3.1 (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)

+

CWE: User Interface (UI) Misrepresentation of Critical Information (CWE-451)

+

HackerOne report: 149798

+

Description

+

The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.

+

+

Affected Software

+ +

Action Taken

+

The user-controlled content has been removed from the exception message.

+

Acknowledgements

+

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

+ +
This advisory is licensed CC BY-SA 4.0. Original source: nextcloud.com +
+
diff --git a/advisories/server-list-part.php b/advisories/server-list-part.php index 947891e29..a74775ed0 100644 --- a/advisories/server-list-part.php +++ b/advisories/server-list-part.php @@ -1,15 +1,15 @@

Version 9.1.2

-SMB User Authentication Bypass
-Stored XSS in CardDAV image export
-Reflected XSS in Gallery application
-Content-Spoofing in "files" app
-Content-Spoofing in "dav" app
+SMB User Authentication Bypass
+Stored XSS in CardDAV image export
+Reflected XSS in Gallery application
+Content-Spoofing in "files" app
+Content-Spoofing in "dav" app

Version 9.0.6

-SMB User Authentication Bypass
-Stored XSS in CardDAV image export
-Reflected XSS in Gallery application
-Content-Spoofing in "files" app
-Content-Spoofing in "dav" app
+SMB User Authentication Bypass
+Stored XSS in CardDAV image export
+Reflected XSS in Gallery application
+Content-Spoofing in "files" app
+Content-Spoofing in "dav" app

Version 9.0.4

Stored XSS in gallery application
Log pollution can potentially lead to local HTML injection
@@ -23,7 +23,7 @@ Disclosure of arbitrary certificate files
Incorrect setup of external storage

Version 8.2.9

-SMB User Authentication Bypass
+SMB User Authentication Bypass

Version 8.2.7

Log pollution can potentially lead to local HTML injection
Edit permission check not enforced on WebDAV COPY action