Privilege escalation in the calendar application (oC-SA-2013-024)


AFFECTED SOFTWARE

  • ownCloud Server < 5.0.6
  • ownCloud Server < 4.5.11

RISK

  • High

CVE

  • CVE-2013-2043

COMMITS

DESCRIPTION

Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the “calendar_id” GET parameter to /apps/calendar/ajax/events.php

Note: Successful exploitation of this privilege escalation requires the “calendar” app to be enabled (enabled by default).

Credits

The ownCloud Team would like to thank Mateusz Goik (aliantsoft.pl) for discovering this vulnerability.

RESOLUTION

Update to ownCloud Server 5.0.6 or 4.5.11
http://download.owncloud.org/community/owncloud-5.0.6.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.11.tar.bz2