ownCloud file sharing self-hosted platform reports critical bugs, PoC available

published: Nov. 25, 2023

Take action: If you are using ownCloud, start applying the workarounds immediately. Beacuse it's a file sharing software, it's very probably exposed to the internet, so urgency is more than advised. With the available exploit PoC it's even more urgent to patch.

Learn More

Three severe security vulnerabilities have been identified in the ownCloud file-sharing application, which could significantly compromise the system's security. OwnCloud is an open-source file synchronization and sharing solution, designed to allow businesses, organizations, and individuals to host their own private cloud storage platform

  1. The most severe vulnerability, tracked as CVE-2023-49103 (CVSS3 score 10), allows attackers to extract sensitive credentials and configuration data in certain deployments. This flaw stems from a reliance on a third-party library that inadvertently discloses PHP environment variables via a URL. This could lead to the leakage of ownCloud administrator passwords, mail server credentials, and other critical information. The ownCloud team has recommended specific measures to rectify this issue:
    1. Removing a file 'owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php'
    2. Disabling certain 'phpinfo' function in all Docker containers running the ownCloud components,
    3. Updating all potentially compromised passwords and access keys. They have stressed that merely deactivating the affected application does not address the vulnerability.
  2. The second flaw is tracked as CVE-2023-49105 (CVSS3 score 9.8), permits unauthenticated access to files if the attacker knows the username and a signing key is not configured. The proposed resolution is to restrict the use of pre-signed URLs if a signing key is not configured.
  3. The third flaw is tracked as CVE-2023-49104 (CVSS v3 score: 8.7 by NVD, 9 by ownCloud), involves a subdomain validation bypass in the oauth2 library. It could allow attackers to redirect callbacks to malicious domains. A more stringent validation process has been suggested to mitigate this risk, with a provisional fix being to disable the "Allow Subdomains" feature.

OwnCloud advises administrators to apply the mitigation measures as soon as possible.

Update - as of 4th of December 2023 the details and proof-of-concept (PoC) of the flaw were published by Ambionics. The analysis succinctly puts it: “CVE-2023-49105 allows you to either gain complete access to the files of any user (and potentially, get RCE), or if you already have an account, escalate your privileges to admin, leading to remote code execution.

ownCloud file sharing self-hosted platform reports critical bugs, PoC available