Incomplete blacklist vulnerability (oC-SA-2013-026)


AFFECTED SOFTWARE

  • ownCloud Server < 5.0.6 (running under Apache)

CVE IDENTIFIERS

  • CVE-2013-2089

RISK

  • Critical

COMMITS

DESCRIPTION

Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows authenticated remote attackers to execute arbitrary PHP code by uploading a crafted file and accessing an uploaded PHP file.

Note: Successful exploitation requires that the /data/ directory is stored inside the webroot and a webserver that interprets .htaccess files (e.g. Apache)

RESOLUTION

Update to ownCloud Server 5.0.6
http://download.owncloud.org/community/owncloud-5.0.6.tar.bz2