Skip to content
This repository has been archived by the owner on Jan 21, 2021. It is now read-only.

fixed number confusion #1101

Merged
merged 1 commit into from Nov 11, 2016
Merged

fixed number confusion #1101

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
28 changes: 17 additions & 11 deletions advisories/advisories.rss
View file
Open in desktop
Expand Up @@ -5,35 +5,41 @@
<link>https://owncloud.org/security/advisories/</link>
<description>The ownCloud security advisories as a RSS feed</description>
<ttl>1800</ttl><item>
<title>Server: Content-Spoofing in &quot;dav&quot; app (oC-SA-2016-020)</title>
<description>&lt;p&gt;The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.&lt;/p&gt;&lt;br/&gt;&lt;hr/&gt;&lt;p&gt;&lt;strong&gt;&lt;a href=&quot;https://owncloud.org/security/advisory/?id=oC-SA-2016-020&quot;&gt;For more information please consult the official advisory.&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;</description>
<title>Server: Content-Spoofing in &quot;dav&quot; app (oC-SA-2016-021)</title>
<description>&lt;p&gt;The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.&lt;/p&gt;&lt;br/&gt;&lt;hr/&gt;&lt;p&gt;&lt;strong&gt;&lt;a href=&quot;https://owncloud.org/security/advisory/?id=oC-SA-2016-021&quot;&gt;For more information please consult the official advisory.&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;</description>
<link>https://owncloud.org/security/advisory/?id=oC-SA-2016-021</link>
<guid isPermaLink="true">https://owncloud.org/security/advisory/?id=oC-SA-2016-021</guid>
<pubDate>Thu, 10 Nov 2016 11:59:16 +0100</pubDate>
</item><item>
<title>Server: Content-Spoofing in &quot;files&quot; app (oC-SA-2016-020)</title>
<description>&lt;p&gt;The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.&lt;/p&gt;&lt;br/&gt;&lt;hr/&gt;&lt;p&gt;&lt;strong&gt;&lt;a href=&quot;https://owncloud.org/security/advisory/?id=oC-SA-2016-020&quot;&gt;For more information please consult the official advisory.&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;</description>
<link>https://owncloud.org/security/advisory/?id=oC-SA-2016-020</link>
<guid isPermaLink="true">https://owncloud.org/security/advisory/?id=oC-SA-2016-020</guid>
<pubDate>Thu, 10 Nov 2016 11:59:16 +0100</pubDate>
</item><item>
<title>Server: Content-Spoofing in &quot;files&quot; app (oC-SA-2016-019)</title>
<description>&lt;p&gt;The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.&lt;/p&gt;&lt;br/&gt;&lt;hr/&gt;&lt;p&gt;&lt;strong&gt;&lt;a href=&quot;https://owncloud.org/security/advisory/?id=oC-SA-2016-019&quot;&gt;For more information please consult the official advisory.&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;</description>
<title>Server: Reflected XSS in Gallery application (oC-SA-2016-019)</title>
<description>&lt;p&gt;The gallery app was not properly sanitizing exception messages from the ownCloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability.&lt;/p&gt;&lt;br/&gt;&lt;hr/&gt;&lt;p&gt;&lt;strong&gt;&lt;a href=&quot;https://owncloud.org/security/advisory/?id=oC-SA-2016-019&quot;&gt;For more information please consult the official advisory.&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;</description>
<link>https://owncloud.org/security/advisory/?id=oC-SA-2016-019</link>
<guid isPermaLink="true">https://owncloud.org/security/advisory/?id=oC-SA-2016-019</guid>
<pubDate>Thu, 10 Nov 2016 11:59:16 +0100</pubDate>
</item><item>
<title>Server: Reflected XSS in Gallery application (oC-SA-2016-018)</title>
<description>&lt;p&gt;The gallery app was not properly sanitizing exception messages from the ownCloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability.&lt;/p&gt;&lt;br/&gt;&lt;hr/&gt;&lt;p&gt;&lt;strong&gt;&lt;a href=&quot;https://owncloud.org/security/advisory/?id=oC-SA-2016-018&quot;&gt;For more information please consult the official advisory.&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;</description>
<title>Server: Stored XSS in CardDAV image export (oC-SA-2016-018)</title>
<description>&lt;p&gt;The CardDAV image export functionality as implemented in ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.&lt;/p&gt;&lt;p&gt;&lt;b&gt;Note:&lt;/b&gt;ownCloud employs a very strict Content Security Policy on the DAV endpoints. This is thus only exploitable on browsers that don't support Content Security Policy.&lt;/p&gt;&lt;br/&gt;&lt;hr/&gt;&lt;p&gt;&lt;strong&gt;&lt;a href=&quot;https://owncloud.org/security/advisory/?id=oC-SA-2016-018&quot;&gt;For more information please consult the official advisory.&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;</description>
<link>https://owncloud.org/security/advisory/?id=oC-SA-2016-018</link>
<guid isPermaLink="true">https://owncloud.org/security/advisory/?id=oC-SA-2016-018</guid>
<pubDate>Thu, 10 Nov 2016 11:59:16 +0100</pubDate>
</item><item>
<title>Server: Stored XSS in CardDAV image export (oC-SA-2016-017)</title>
<description>&lt;p&gt;The CardDAV image export functionality as implemented in ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.&lt;/p&gt;&lt;p&gt;&lt;b&gt;Note:&lt;/b&gt;ownCloud employs a very strict Content Security Policy on the DAV endpoints. This is thus only exploitable on browsers that don't support Content Security Policy.&lt;/p&gt;&lt;br/&gt;&lt;hr/&gt;&lt;p&gt;&lt;strong&gt;&lt;a href=&quot;https://owncloud.org/security/advisory/?id=oC-SA-2016-017&quot;&gt;For more information please consult the official advisory.&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;</description>
<title>Server: SMB User Authentication Bypass (oC-SA-2016-017)</title>
<description>&lt;p&gt;ownCloud includes an optional and not by default enabled SMB authentication component that allows to authenticate users against an SMB server. This backend is implemented in a way that it tries to connect to a SMB server and if that succeeded consider the user logged-in. The backend did not properly take into account SMB servers that any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials.&lt;/p&gt;&lt;p&gt;&lt;b&gt;Note:&lt;/b&gt; The SMB backend is disabled by default and requires manual configuration in the ownCloud config file. If you have not configured the SMB backend then you're not affected by this vulnerability.&lt;/p&gt;&lt;br/&gt;&lt;hr/&gt;&lt;p&gt;&lt;strong&gt;&lt;a href=&quot;https://owncloud.org/security/advisory/?id=oC-SA-2016-017&quot;&gt;For more information please consult the official advisory.&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;</description>
<link>https://owncloud.org/security/advisory/?id=oC-SA-2016-017</link>
<guid isPermaLink="true">https://owncloud.org/security/advisory/?id=oC-SA-2016-017</guid>
<pubDate>Thu, 10 Nov 2016 11:59:16 +0100</pubDate>
</item><item>
<title>Server: SMB User Authentication Bypass (oC-SA-2016-016)</title>
<description>&lt;p&gt;ownCloud includes an optional and not by default enabled SMB authentication component that allows to authenticate users against an SMB server. This backend is implemented in a way that it tries to connect to a SMB server and if that succeeded consider the user logged-in. The backend did not properly take into account SMB servers that any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials.&lt;/p&gt;&lt;p&gt;&lt;b&gt;Note:&lt;/b&gt; The SMB backend is disabled by default and requires manual configuration in the ownCloud config file. If you have not configured the SMB backend then you're not affected by this vulnerability.&lt;/p&gt;&lt;br/&gt;&lt;hr/&gt;&lt;p&gt;&lt;strong&gt;&lt;a href=&quot;https://owncloud.org/security/advisory/?id=oC-SA-2016-016&quot;&gt;For more information please consult the official advisory.&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;</description>
<title>Desktop Client: Local Code Injection (oC-SA-2016-016)</title>
<description>&lt;p&gt;The ownCloud Client was vunerable to a local code injection attack. A malicious local user could create a special path where the client would load libraries from during startup. As on Windows, everyone by default has the permission to write to the &lt;code&gt;C:&lt;/code&gt; drive and create arbitrary directories and subdirectories, this attack is practically feasible in any non-hardened Windows environment. This could lead to injecting code into other users' ownCloud Client.&lt;/p&gt;&lt;br/&gt;&lt;hr/&gt;&lt;p&gt;&lt;strong&gt;&lt;a href=&quot;https://owncloud.org/security/advisory/?id=oC-SA-2016-016&quot;&gt;For more information please consult the official advisory.&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;</description>
<link>https://owncloud.org/security/advisory/?id=oC-SA-2016-016</link>
<guid isPermaLink="true">https://owncloud.org/security/advisory/?id=oC-SA-2016-016</guid>
<pubDate>Thu, 10 Nov 2016 11:59:16 +0100</pubDate>
<pubDate>Wed, 17 Aug 2016 17:37:31 +0200</pubDate>
</item><item>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Peter-Prochaska @DeepDiver1975 did you intend to roll back time here?

<title>Server: Read-only share recipient can restore old versions of file (oC-SA-2016-015)</title>
<description>&lt;p&gt;The restore capability of ownCloud was not verifying whether an user has only read-only access to a share. Thus an user with read-only access was able to restore old versions.&lt;/p&gt;&lt;br/&gt;&lt;hr/&gt;&lt;p&gt;&lt;strong&gt;&lt;a href=&quot;https://owncloud.org/security/advisory/?id=oC-SA-2016-015&quot;&gt;For more information please consult the official advisory.&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;</description>
Expand Down
10 changes: 5 additions & 5 deletions advisories/advisory-side.php
View file
Open in desktop
@@ -1,9 +1,9 @@
<br/><p>ownCloud server 9.1.2</p>
<a href="/security/advisory?id=oc-sa-2016-016">SMB User Authentication Bypass</a><br/>
<a href="/security/advisory?id=oc-sa-2016-017">Stored XSS in CardDAV image export</a><br/>
<a href="/security/advisory?id=oc-sa-2016-018">Reflected XSS in Gallery application</a><br/>
<a href="/security/advisory?id=oc-sa-2016-019">Content-Spoofing in "files" app</a><br/>
<a href="/security/advisory?id=oc-sa-2016-020">Content-Spoofing in "dav" app</a><br/>
<a href="/security/advisory?id=oc-sa-2016-017">SMB User Authentication Bypass</a><br/>
<a href="/security/advisory?id=oc-sa-2016-018">Stored XSS in CardDAV image export</a><br/>
<a href="/security/advisory?id=oc-sa-2016-019">Reflected XSS in Gallery application</a><br/>
<a href="/security/advisory?id=oc-sa-2016-020">Content-Spoofing in "files" app</a><br/>
<a href="/security/advisory?id=oc-sa-2016-021">Content-Spoofing in "dav" app</a><br/>
<br/><p>ownCloud desktop 2.2.3</p>
<a href="/security/advisory?id=oc-sa-2016-016">Local Code Injection</a><br/>
<br/><p>ownCloud mobile iOS 3.4.4</p>
Expand Down
28 changes: 16 additions & 12 deletions advisories/oc-sa-2016-017.php
View file
Open in desktop
Expand Up @@ -9,35 +9,39 @@
<?php get_template_part('advisories/advisory-side'); ?>
</div>
<div class="col-md-8">
<h2>Stored XSS in CardDAV image export (oC-SA-2016-017)</h2>
<h2>SMB User Authentication Bypass (oC-SA-2016-017)</h2>
<p>10th November 2016</p>
<p>Risk level: <strong>Medium</strong></p>
<p>CVSS v3 Base Score: 5.4 (<a href="https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N">AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</a>)</p>
<p>CWE: <a href="https://cwe.mitre.org/data/definitions/79.html">Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)</a></p>
<p>HackerOne report: <a href="https://hackerone.com/reports/163338">163338</a></p>
<p>Risk level: <strong>High</strong></p>
<p>CVSS v3 Base Score: 7.4 (<a href="https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N">AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N</a>)</p>
<p>CWE: <a href="https://cwe.mitre.org/data/definitions/303.html">Incorrect Implementation of Authentication Algorithms (CWE-303)</a></p>
<p>HackerOne report: <a href="https://hackerone.com/reports/148151">148151</a></p>
<h3>Description</h3>
<p><p>The CardDAV image export functionality as implemented in ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.</p>
<p><b>Note:</b>ownCloud employs a very strict Content Security Policy on the DAV endpoints. This is thus only exploitable on browsers that don't support Content Security Policy.</p>
<p><p>ownCloud includes an optional and not by default enabled SMB authentication component that allows to authenticate users against an SMB server. This backend is implemented in a way that it tries to connect to a SMB server and if that succeeded consider the user logged-in. The backend did not properly take into account SMB servers that any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials.</p>
<p><b>Note:</b> The SMB backend is disabled by default and requires manual configuration in the ownCloud config file. If you have not configured the SMB backend then you're not affected by this vulnerability.</p>
</p>
<h3>Affected Software</h3>
<ul>
<li>ownCloud Server &lt; <strong>9.1.2</strong> (CVE-2016-????)</li>
<ul>
<li><a href="https://github.com/owncloud/core/commit/6bf3be3877d9d9fda9c66926fe273fe79cbaf58e">core/6bf3be3877d9d9fda9c66926fe273fe79cbaf58e</a></li>
<li><a href="https://github.com/owncloud/apps/commit/5d47e7b52646cf79edadd78ce10c754290cbb732">apps/5d47e7b52646cf79edadd78ce10c754290cbb732</a></li>
</ul>
<li>ownCloud Server &lt; <strong>9.0.6</strong> (CVE-2016-????)</li>
<ul>
<li><a href="https://github.com/owncloud/core/commit/b5a5be24c418033cb2ef965a4f3f06b7b4213845">core/b5a5be24c418033cb2ef965a4f3f06b7b4213845</a></li>
<li><a href="https://github.com/owncloud/apps/commit/16cbccfc946c8711721fa684d78135ca1fb64791">apps/16cbccfc946c8711721fa684d78135ca1fb64791</a></li>
</ul>
<li>ownCloud Server &lt; <strong>8.2.9</strong> (CVE-2016-????)</li>
<ul>
<li><a href="https://github.com/owncloud/apps/commit/a0e07b7ddd5a5fd850a6e07f8457d05b76a300b3">apps/a0e07b7ddd5a5fd850a6e07f8457d05b76a300b3</a></li>
</ul>

</ul>
<h3>Action Taken</h3>
<p>The mimetype of the exported image is now compared with a whitelist as well as download disposition headers have been set on the response.</p>
<p>The SMB backend is now performing an additional authentication attempt with invalid credentials. If that succeeds as well it assumes that anonymous authentications are enabled and denies the login attempt.</p>
<h3>Acknowledgements</h3>
<p>The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:</p>
<ul>
<li><a href="https://nextcloud.com/" target="_blank" rel="noreferrer">Lukas Reschke - Nextcloud GmbH - Vulnerability discovery and disclosure.</a></li>
<li><a href="https://rhinosecuritylabs.com/" target="_blank" rel="noreferrer">Dwight Hohnstein - Rhino Security Labs - Vulnerability discovery and disclosure.</a></li>
</ul>
<br/><small style="color:grey">This advisory is licensed <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>. Original source: <a href="https://nextcloud.com/security/advisory/?id=NC-SA-2016-008">nextcloud.com</a></small>
<br/><small style="color:grey">This advisory is licensed <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>. Original source: <a href="https://nextcloud.com/security/advisory/?id=NC-SA-2016-006">nextcloud.com</a></small>
</div>
</div>
19 changes: 10 additions & 9 deletions advisories/oc-sa-2016-018.php
View file
Open in desktop
Expand Up @@ -9,34 +9,35 @@
<?php get_template_part('advisories/advisory-side'); ?>
</div>
<div class="col-md-8">
<h2>Reflected XSS in Gallery application (oC-SA-2016-018)</h2>
<h2>Stored XSS in CardDAV image export (oC-SA-2016-018)</h2>
<p>10th November 2016</p>
<p>Risk level: <strong>Medium</strong></p>
<p>CVSS v3 Base Score: 6.1 (<a href="https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N">AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</a>)</p>
<p>CVSS v3 Base Score: 5.4 (<a href="https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N">AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</a>)</p>
<p>CWE: <a href="https://cwe.mitre.org/data/definitions/79.html">Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)</a></p>
<p>HackerOne report: <a href="https://hackerone.com/reports/165686">165686</a></p>
<p>HackerOne report: <a href="https://hackerone.com/reports/163338">163338</a></p>
<h3>Description</h3>
<p><p>The gallery app was not properly sanitizing exception messages from the ownCloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability.</p>
<p><p>The CardDAV image export functionality as implemented in ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.</p>
<p><b>Note:</b>ownCloud employs a very strict Content Security Policy on the DAV endpoints. This is thus only exploitable on browsers that don't support Content Security Policy.</p>
</p>
<h3>Affected Software</h3>
<ul>
<li>ownCloud Server &lt; <strong>9.1.2</strong> (CVE-2016-????)</li>
<ul>
<li><a href="https://github.com/owncloud/gallery/commit/b3b3772fb9bec61ba10d357bef42b676fa474eee">gallery/b3b3772fb9bec61ba10d357bef42b676fa474eee</a></li>
<li><a href="https://github.com/owncloud/core/commit/6bf3be3877d9d9fda9c66926fe273fe79cbaf58e">core/6bf3be3877d9d9fda9c66926fe273fe79cbaf58e</a></li>
</ul>
<li>ownCloud Server &lt; <strong>9.0.6</strong> (CVE-2016-????)</li>
<ul>
<li><a href="https://github.com/owncloud/gallery/commit/dc4887f1afcc0cf304f4a0694075c9364298ad8a">gallery/dc4887f1afcc0cf304f4a0694075c9364298ad8a</a></li>
<li><a href="https://github.com/owncloud/core/commit/b5a5be24c418033cb2ef965a4f3f06b7b4213845">core/b5a5be24c418033cb2ef965a4f3f06b7b4213845</a></li>
</ul>

</ul>
<h3>Action Taken</h3>
<p>Error messages are now properly sanitized.</p>
<p>The mimetype of the exported image is now compared with a whitelist as well as download disposition headers have been set on the response.</p>
<h3>Acknowledgements</h3>
<p>The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:</p>
<ul>
<li>Aliaksei Panamarenka - Vulnerability discovery and disclosure.</li>
<li><a href="https://nextcloud.com/" target="_blank" rel="noreferrer">Lukas Reschke - Nextcloud GmbH - Vulnerability discovery and disclosure.</a></li>
</ul>
<br/><small style="color:grey">This advisory is licensed <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>. Original source: <a href="https://nextcloud.com/security/advisory/?id=NC-SA-2016-009">nextcloud.com</a></small>
<br/><small style="color:grey">This advisory is licensed <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>. Original source: <a href="https://nextcloud.com/security/advisory/?id=NC-SA-2016-008">nextcloud.com</a></small>
</div>
</div>