-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Data leak using orphaned share-over-link #15097
Comments
@LukasReschke @schiesbn This is interesting. What do you think? |
I have exactly the same issue. I looked up an orphaned share in the database and tried to download it. The token was probably created with owncloud 7 because it was the old format. This is a severe security issue which has to be dealt with immediately. |
I fail to reproduce this. |
I still could not reproduce the setup that led to having an orphaned entry in the oc_share table, but a single record in the table that does not point to a valid share (so it seems) offers all data to be downloaded. In the oc_share table for:
E.g. the following entry:
This of course is tampered data directly in the SQL, but my productive OC instance which had the issue was not tampered with. The link there pointed to a file, which was once shared using the token of the DB entry. Does in the case of the example calling https://link.to/owncloud/index.php/s/public_token download all your data? The oc_share entry of the incident, where the file was not on the server anymore, was:
I am using almost every official OC software there is in my productive setup (Android, iOS, Mac/Linux/Win client, web interface), that's why it's unfortunately hard for me to reproduce if any of those are responsible for the orphaned link. |
I also noticed: when I have sharing enabled and I am logged in, I can download this download.zip containing all my data when accessing https://link.to/owncloud/index.php/s/anytokenpossible/download. I realize that this is rather useless for an attacker since he would need credentials, but probably it is still unwanted behavior related to the issue. Having a valid token though, not pointing to a file, provides access to the data without credentials. |
I will take this one. @schwerpunkt Please contact us always using security@owncloud.com in case you found a potential security relevant issues. For more information on reporting security issues see https://owncloud.org/security/ – we will keep this open for now. |
I can reproduce this:
It's another issue that's not as critical, but should probably still get fixed. About the original issue:
The PHP version on my main system is 5.4.39-0+deb7u1. That was the system where i sucessfully reproduced the bug. |
Here are steps to generate orphaned shares, not sure if the result would be the same: #14664 |
I did some digging in the sharing code (including when things like xsendfile are used) and from my point-of-view we have the following different issues in place. However, I was not able to reproduce this issue but stumbled upon other (non security relevant) bugs. @schwerpunkt Can you double-check if accessing said sharing token with a not logged-in user (i.e. cookies and session cleaned) is still possible? If so would it be possible to provide me some kind of access to your machine? Accessing an invalid shared token's download page as guestSteps to reproduce
CauseThis problem is caused by the fact that the sharing controller is returning an empty string as current file file and folder path instead of throwing an exception. The function generating the downloaded ZIP then, Risk assessmentNot a security issue but anyways a low category bug. Action to take
Accessing an invalid shared token's download page as logged-in userSteps to reproduce
CauseThis problem is caused by the fact that the sharing controller is returning an empty string as current file file and folder path instead of throwing an exception. The function generating the downloaded ZIP then, Risk assessmentNot a security issue but anyways a low category bug. Action to take
Accessing valid shares where the file got deleted from the filecacheSteps to reproduce
CauseThis problem is caused by the fact that the sharing controller is returning an empty string as current file file and folder path instead of throwing an exception. The function generating the downloaded ZIP then, Risk assessmentNot a security issue but anyways a low category bug. Action to take
|
I was able to reproduce the bug.
Software versions: I hope these instructions were clear enough. If you're having trouble reproducing this, just ask me. |
Thanks. That helped a lot. – For the record. Database entry before update:
Database entry after update:
Regular sharing entry with ownCloud 8:
|
Preparing Pull Requests and hopefully some unit tests. |
Despite it's PHPDoc the function might return `null` which was not properly catched and thus in some situations the share was resolved to the sharing users root directory. To test this perform the following steps: * Share file in owncloud 7 (7.0.4.2) * Delete the parent folder of the shared file * The share stays is in the DB and the share via the sharelink is inaccessible. (which is good) * Upgrade to owncloud 8 (8.0.2) (This step is crucial. The bug is not reproduceable without upgrading from 7 to 8. It seems like the old tokens are handled different than the newer ones) * Optional Step: Logout, Reset Browser Session, etc. * Access the share via the old share url: almost empty page, but there is a dowload button which adds a "/download" to the URL. * Upon clicking, a download.zip is downloaded which contains EVERYTHING from the owncloud directory (of the user who shared the file) * No exception is thrown and no error is logged. This will add a check whether the share is a valid one and also adds unit tests to prevent further regressions in the future. Needs to be backported to ownCloud 8. Adding a proper clean-up of the orphaned shares is out-of-scope and would probably require some kind of FK or so. Fixes #15097
Despite it's PHPDoc the function might return `null` which was not properly catched and thus in some situations the share was resolved to the sharing users root directory. To test this perform the following steps: * Share file in owncloud 7 (7.0.4.2) * Delete the parent folder of the shared file * The share stays is in the DB and the share via the sharelink is inaccessible. (which is good) * Upgrade to owncloud 8 (8.0.2) (This step is crucial. The bug is not reproduceable without upgrading from 7 to 8. It seems like the old tokens are handled different than the newer ones) * Optional Step: Logout, Reset Browser Session, etc. * Access the share via the old share url: almost empty page, but there is a dowload button which adds a "/download" to the URL. * Upon clicking, a download.zip is downloaded which contains EVERYTHING from the owncloud directory (of the user who shared the file) * No exception is thrown and no error is logged. This will add a check whether the share is a valid one and also adds unit tests to prevent further regressions in the future. Needs to be backported to ownCloud 8. Adding a proper clean-up of the orphaned shares is out-of-scope and would probably require some kind of FK or so. Fixes #15097
…github.com/owncloud/core/commits/v8.1.1/apps/files_sharing/lib/controllers/sharecontroller.php Despite it's PHPDoc the function might return `null` which was not properly catched and thus in some situations the share was resolved to the sharing users root directory. To test this perform the following steps: * Share file in owncloud 7 (7.0.4.2) * Delete the parent folder of the shared file * The share stays is in the DB and the share via the sharelink is inaccessible. (which is good) * Upgrade to owncloud 8 (8.0.2) (This step is crucial. The bug is not reproduceable without upgrading from 7 to 8. It seems like the old tokens are handled different than the newer ones) * Optional Step: Logout, Reset Browser Session, etc. * Access the share via the old share url: almost empty page, but there is a dowload button which adds a "/download" to the URL. * Upon clicking, a download.zip is downloaded which contains EVERYTHING from the owncloud directory (of the user who shared the file) * No exception is thrown and no error is logged. This will add a check whether the share is a valid one and also adds unit tests to prevent further regressions in the future. Needs to be backported to ownCloud 8. Adding a proper clean-up of the orphaned shares is out-of-scope and would probably require some kind of FK or so. Fixes owncloud#15097
Steps to reproduce
I was not able to reproduce it so far.
It might have been a relict of the OC7 => OC8 upgrade.
Still there is a deep security/data leak issue:
I had shared a file with the share over link function in OC (I think it was the latest version of OC7) on my website a few weeks ago.
Later I unshared the file (I can't recall doing it through the webinterface or a mobile app or whether I just deleted the file).
Today I clicked the link that I still had on my website and unexpectedly an endless stream of data was downloaded from my OC (a download.zip accessed by a link that earlier had pointed to a shared picture).
I downloaded up to 3GB of that stream before I killed my apache out of fear.
The download.zip in the HEX editor showed terrifyingly my folder structure as well as all the files' contents.
The orphaned token of the shared link was still in the oc_share table of my database.
Expected behaviour
Invalid share-link should display a missing file / error message.
Orphaned shared links should not exist.
Actual behaviour
A whole stream of all my OC-users data was downloaded in a download.zip-file.
Server configuration
Operating system:
Ubuntu 12.04
Web server:
Apache/2.4.12 (Ubuntu)
Database:
mysql Ver 14.14
PHP version:
PHP 5.5.22-1+deb.sury.org~precise+1
ownCloud version: (see ownCloud admin page)
8.0.2.0
Updated from an older ownCloud or fresh install:
updated from latest OC7
List of activated apps:
Activity, Calendar, Contacts, Deleted Files, External storage support, First Run Wizard, Mozilla Sync, PDF Viewer, Pictures, Share Files, Text Editor, Updater, Versions, Video Viewer
The content of config/config.php:
Are you using external storage, if yes which one: local/smb/sftp/...
smb
Are you using encryption: yes/no
no
Are you using an external user-backend, if yes which one:
none
The text was updated successfully, but these errors were encountered: