BugTraq
TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0 Apr 18 2012 07:15AM
Tobias Glemser (tglemser tele-consulting com)
TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0

Published: 2012/04/18
Version 1.0

Affected products:
ownCloud version 3.0.0 (others not tested)
http://owncloud.org

References:
TC-SA-2012-01 www.tele-consulting.com/advisories/TC-SA-2012-01.txt
(used for updates)
CVE-2012-2269 - XSS in ownCloud 3.0.0
CVE-2012-2270 - Open Redirect in ownCloud 3.0.0

Summary:
"ownCloud gives you easy and universal access to all of your files.
It also provides a platform to easily view, sync and share your
contacts, calendars, bookmarks and files across all your devices.
ownCloud 3 brings loads of new features and hundreds of fixes"

Vulnerable Scripts:
stored XSS:
- /apps/contacts/ajax/addcard.php (any input field)
- /apps/contacts/ajax/addproperty.php (parameter)
- /apps/contacts/ajax/createaddressbook (name)

reflected XSS:
- /files/download.php (file)
- /files/index.php (name, user, redirect_url)

open redirect after login:
- Login Page

Examples:
stored XSS:
- add a new contact and enter <script>alert("Help Me")</script> in
any field, save the contact
- add a new date in calendar with name <script>alert("Help
Me")</script>"

reflected XSS (un-authenticated):
-
http://$domain/owncloud/index.php?redirect_url=1"><script>alert("Help
Me")</script><l=" (must not be logged in)

open redirect after login:
-
http://$domain/owncloud/index.php?redirect_url=http%3a//www.boeserangrei
fe
r.de/

Possible solutions:
- update to OwnCloud 3.0.2

Disclosure Timeline:
2012/02/01 vendor contacted via #owncloud on freenode IRC, got E-Mail
2012/02/01 vendor contacted via E-Mail
2012/02/02 vendor response
2012/04/16 asked vendor for status updates
2012/04/16 vendor status: patched with version 3.0.2
2012/04/18 public disclosure

Credits:
Tobias Glemser (tglemser (at) tele-consulting (dot) com [email concealed])
Tele-Consulting security networking training GmbH, Germany
www.tele-consulting.com

Disclaimer:
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore Tele-Consulting shall
not be liable for any direct or indirect damages that might be
caused by using this information.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus