Multiple directory traversals (oC-SA-2013-020)


AFFECTED SOFTWARE

  • ownCloud Server < 5.0.6 (CVE-2013-2039, CVE-2013-2085)
  • ownCloud Server < 4.5.11 (CVE-2013-2039)
  • ownCloud Server < 4.0.15 (CVE-2013-2039)

RISK

  • Critical

COMMITS

CVE-2013-2039

CVE-2013-2085

DESCRIPTION

Multiple directory traversal vulnerabilities in (1) apps/files_trashbin/index.php via the “dir” GET parameter and (2) lib/files/view.php via undefined vectors in all ownCloud versions prior to 5.0.6 and other versions before 4.0.15, allow authenticated remote attackers to get access to arbitrary local files.

Credits

The ownCloud Team would like to thank Mateusz Goik (aliantsoft.pl) for discovering this vulnerabilities.

RESOLUTION

Update to ownCloud Server 5.0.6, 4.5.11 or 4.0.15
http://download.owncloud.org/community/owncloud-5.0.6.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.11.tar.bz2
http://download.owncloud.org/community/owncloud-4.0.15.tar.bz2