ownCloud Contributor Conference 2014 Interview
May 20, 2015
PSR-7 released today
May 19, 2015
Today PSR-7 got the 'accepted' state after quite a long journey. This is the result of the hard work of many people, but in particular Matthew Weier O'Phinney who did an amazing job herding cats with class.
Despite my concerns and my lone vote against the proposal, I'm excited to see this become the standard. It's long overdue and it's time for PHP to move on from its clumsy superglobals. I'm also very interested to see if my concerns around the immutability aspect of the objects turned out to be unfounded.
Free your Android from Google. Move contacts and calendar to ownCloud
May 17, 2015
I wrote something similar in Greek but didn't write how to move from Google to ownCloud. The 3 things you should do are, files, contacts and calendar.
The ownCloud application can be downloaded from Google Play and costs 0.79E. You can also download it from F-Droid market.
This program is amazing. It works just like the others. You can even upload all your pictures from your Android phone directly to your ownCloud instance.
Alternative application is FolderSync Lite. It seems to work fine with WebDAV with ownCloud.
In ownCloud 8.0.x, calendar isn't enabled. So you have to enable the Calendar app. Log in as "admin", click on "Apps+" and activate the Calendar app.
Log into your Google Calendar and go to the settings hidden behind the cog wheel icon in the upper right corner. Click on "Calendar" at the top. Look for a "export calendar" link. You will get a ZIP archive downloaded that contains an ICS file. Unpack that ZIP archive. Navigate to the files section on your ownCloud in the web browser and upload the ICS file to any folder using drag-and-drop. Then click on the file in the browser and confirm to have that ICS file imported to your ownCloud calendar. Now your calendar has been copied to ownCloud.
Finally remove the appointments from your Google calendar and stop the sync from your smartphone. Neither can you remove the Google calendar from Google nor from your phone. Make your ownCloud calendar the new default on your phone.
Install CalDAV-Sync on your Android phone (it costs 2.59E). Run the application and set up a CalDAV account. The CalDAV URL can be found in the ownCloud web interface when you navigate to your calendar and click on the cog wheel icon in the lower left corner. It looks something like https://demo.owncloud.org/remote.php/caldav/. You can also get the link from a specific calendar (just check the link next to the calendar you want).
A replacement for a free program is aCalDAV from F-Droid.
In ownCloud 8.0.x, contacts isn't enabled.In ownCloud enable the contacts app. Log in as "admin", click on "Apps+" and activate the Contacts app.
Log into your GMail account contacts and click on "More" and "Export". Choose to export all contacts in vCard format. Navigate to the files section on your ownCloud in the web browser and upload the VCF file to any folder using drag-and-drop. Then click on the file in the browser and confirm to have that contacts imported to your OwnCloud contacts.
And finally remove your contacts from GMail and stop the sync.
Install the CardDAV-Sync app on your Android device (it costs 1.90E). Run the application and set up a CardDAV account. The CardDAV URL can be found in the ownCloud web interface when you navigate to the contacts app and click on the cog wheel icon in the lower left corner and then on the globe icon. It looks something like https://demo.owncloud.org/remote.php/carddav/addressbooks/test/contacts.
A good replacement is Contacts+.
There is another pretty good solution for syncing an Android phone with a CalDAV/CardDAV if you don't want to spend money. It's called DAVdroid and it is open source, so you can download it from F-Droid.
ownCloud 8.1 coming in June
May 13, 2015
With the release of ownCloud 8.0 we made some changes to our release cycle. We would move to time based releases every three months. With the focus of the 8.1 release on stability and performance and to align our schedule better to holiday periods, we’ve decided it was prudent to lengthen the stabilization period of our first release in this new cycle with one month, easing our transition and maintaining the highest possible quality.
Focus for 8.1
Those of you following our semi-regular development updates have already noticed the emphasis placed on stability, security and architectural improvements in ownCloud development for this release. While there have been plenty of incremental improvements, much more time has been spent on improving existing functionality than on introducing new.
Adding an extra month to focus on bug fixing will help make sure this ownCloud release is the most stable ever – of course, this also depends on the testing that is done. If you want to be sure that the upcoming ownCloud release is fully ready for your use case – with your specific hardware, software, settings and usage – make sure you test it and report any problems you find! After all, problems our developers do not know about can hardly be fixed.
Your input in testing is paramount to ensure the stability and suitability of ownCloud 8.1 for you!
In our new release cycle, we plan one month for getting features merged and two to stabilize before release. This is similar to how the Linux kernel development works. You can develop on features all the time, and put them in a pull request in GitHub so they can be reviewed. We focus on reviewing, finishing up and merging open pull requests during the first month of a new release cycle and focus on testing, integration and refinement of the whole in the next two months.
By delaying our schedule by one month, the ownCloud 8.3 release will fall in the first week of December. We will then start development for 9.0, which we stabilize over January and February. As December is usually a less active month, we will have a more restricted set of changes that get merged – but it is better that the ‘quiet time’ is in the merging period than in the time we’re working to integrate, test and stabilize the release! The delay helps us ensure a better quality for the ownCloud 9.0 release.
If you’re interested in how ownCloud is developed, read a bit more about it here and check out the contribute page if you want to get involved in improving ownCloud – in any area you like. To keep up with what is going on, read our semi-regular development updates.
First release in the new cycle
So, there you have it. ownCloud 8.1 will be released in the beginning of June with 8.2 coming beginning of September, shortly after the ownCloud Contributor Conference in Berlin.
If you want to make sure this ownCloud release is as close to perfect as you need it to be, make sure to get involved in testing. And if there are features you’d like to get in, get them ready before June so they can be merged!
May 11, 2015
The recent DOM-based Cross-Site-Script vulnerability in WordPress has made me wonder how this could have happened in days where automated static code scanners are even integrated in standard tools such as Burp Suite (the leading toolkit for web application security testing). In this blog post I go a little bit into details about the vulnerability and what can be done to catch such a vulnerability.
The Vulnerability in a nutshell
The vulnerability in the WordPress theme is actually a very trivial one, the source code for the
example.html file can
be found in the Git history on GitHub as of 734cf336a9f.
If we take a look at the source code the problem is not too hard to spot for people that are familiar with the peculiarities
of older jQuery versions:
window.location.hash returns the hash of the URL (for example in
example.html#foo it would be
foo) and this result
is then used in a call to
jQuery('.'+permalink). jQuery itself tends to be a sink and versions before 1.9.0 are happily
generating the vulnerable DOM element even if it starts with a
.. To be automatically protected against this specific
sink hole one has to use at least jQuery 1.9.0, since this version this is only exploitable if the string starts with a
Though one should obviously be aware that there are still a ton of other sinkholes in jQuery.
Detecting it statically
As it is with such easily detectable vulnerabilities one would expect that static code analysis would be able to spot these. And indeed, at least BurpSuite Pro as well as DominatorPro would have spotted these. So why wasn’t it found before considering that WordPress is such a widely deployed software?
My take on this is that
example.html was an example file and thus not actively linked. Many tools used to do web application
penetration testing are only be able to discover content if it is actively linked. In most scenarios the security analyst
will however be likely be able to get access to the actual sources. In an open-source world scenario this is also often
the case for so called black-box-testing.
I wrote a short Python script (written for Python 2.7) that will search all files of a defined type (defaults to
.html) and serve it using the built-in Python web server. The directory listening is ensuring that all packaged files are
getting properly analyzed.
While there are other existing approaches I don’t
feel to keen to add huge Plugins to Burp and writing a short Python script is way easier than to audit the existing solutions.
The following script can be invoked using the following parameters:
-i /var/www/wordpress # Absolute path to folder to scan -p 8000 # Port the webserver should listen on, defaults to 8000 -h 127.0.0.1 # IP the webserver should bind to, defaults to 127.0.0.1 -types .html,.js # Filetypes that should get scanned, defaults to .html,.js
#!/usr/bin/env python import sys import getopt import os import tempfile import atexit import shutil import BaseHTTPServer from SimpleHTTPServer import SimpleHTTPRequestHandler temporary_folder = '' # Clean-up temporary folder after all files after script ends @atexit.register def exit(): if temporary_folder != '': shutil.rmtree(temporary_folder) def main(argv): input_folder = '' port = 8000 host = '127.0.0.1' types = '.html,.js' try: opts, args = getopt.getopt(argv, 'i:p:h:t:',['inputfolder=', 'port=', 'host=', 'types=']) except getopt.GetoptError: print os.path.basename(__file__) + ' -i <inputfolder> -p <port> -h <host> -t <types>' sys.exit(2) for opt, arg in opts: if opt in ('-i', '--inputfolder'): input_folder= arg elif opt in ('-p', '--port'): port = int(arg) elif opt in ('-h', '--host'): host = arg elif opt in ('-t', '--types'): types = arg if input_folder == '': print os.path.basename(__file__) + ' -i <inputfolder> -p <port> -h <host> -t <types>' sys.exit(2) # Create a temporary folder for the items global temporary_folder temporary_folder = tempfile.mkdtemp() os.chdir(temporary_folder) # Discover files print 'Starting file discovery...' for root, dirs, files in os.walk(input_folder): for file in files: if file.endswith(tuple(types.split(','))): absoluteSourcePath = os.path.join(root, file) shutil.copyfile(absoluteSourcePath, temporary_folder + '/' + absoluteSourcePath.replace('/', '.')) print 'Copied ', absoluteSourcePath print 'Ending file discovery...' # Serve files httpd = BaseHTTPServer.HTTPServer((host, port), SimpleHTTPRequestHandler) sa = httpd.socket.getsockname() print 'Serving data on', sa, 'port', sa, "..." httpd.serve_forever() if __name__ == '__main__': main(sys.argv[1:])
The script can get stopped by pressing
CTRL + C and will try to clean-up all created files.
In this example I’m using the Jetpack 3.5.2 version from GitHub, as it features the vulnerability highlighted in this blog post. You can obviously also run this script over much bigger code bases.
➜ master git:(master) ✗ python burp-scanner.py -i ~/Downloads/jetpack -h 10.211.55.2 Starting file discovery... Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/Gruntfile.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/_inc/gallery-settings.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/_inc/jetpack-admin.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/_inc/jetpack-modules.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/_inc/jetpack-modules.models.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/_inc/jetpack-modules.views.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/_inc/jetpack.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/_inc/jp.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/_inc/jquery.inview.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/_inc/jquery.jetpack-resize.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/_inc/jquery.jetpack-sync.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/_inc/jquery.spin.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/_inc/postmessage.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/_inc/spin.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/_inc/genericons/genericons/example.html Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/wpgroho.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/after-the-deadline/atd-autoproofread.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/after-the-deadline/atd-nonvis-editor-plugin.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/after-the-deadline/atd.core.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/after-the-deadline/jquery.atd.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/after-the-deadline/tinymce/editor_plugin.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/after-the-deadline/tinymce/plugin.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/carousel/jetpack-carousel.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/contact-form/js/grunion-admin.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/contact-form/js/grunion-frontend.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/contact-form/js/grunion.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/custom-css/custom-css/js/codemirror.min.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/custom-css/custom-css/js/css-editor.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/custom-css/custom-css/js/use-codemirror.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/custom-post-types/comics/comics.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/custom-post-types/js/many-items.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/custom-post-types/js/menu-checkboxes.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/custom-post-types/js/nova-drag-drop.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/holiday-snow/snowstorm.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/infinite-scroll/infinity.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/likes/post-count-jetpack.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/likes/post-count.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/likes/queuehandler.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/minileven/theme/pub/minileven/js/small-menu.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/photon/photon.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/post-by-email/post-by-email.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/publicize/assets/publicize.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/related-posts/related-posts.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/sharedaddy/admin-sharing.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/sharedaddy/sharing.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/shortcodes/js/audio-shortcode.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/shortcodes/js/jmpress.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/shortcodes/js/jmpress.min.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/shortcodes/js/jquery.cycle.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/shortcodes/js/main.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/shortcodes/js/recipes-printthis.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/shortcodes/js/recipes.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/shortcodes/js/slideshow-shortcode.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/site-icon/js/site-icon-admin.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/site-icon/js/site-icon-crop.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/theme-tools/js/suggest.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/theme-tools/responsive-videos/responsive-videos.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/theme-tools/responsive-videos/responsive-videos.min.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/theme-tools/site-logo/js/site-logo-control.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/theme-tools/site-logo/js/site-logo-control.min.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/theme-tools/site-logo/js/site-logo-header-text.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/theme-tools/site-logo/js/site-logo-header-text.min.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/theme-tools/site-logo/js/site-logo.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/theme-tools/site-logo/js/site-logo.min.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/tiled-gallery/tiled-gallery/tiled-gallery.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/videopress/videopress-admin.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/widget-visibility/widget-conditions/widget-conditions.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/widgets/contact-info/contact-info-map.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/widgets/gallery/js/admin.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/modules/widgets/gallery/js/gallery.js Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/tests/modules/photon/sample-content/a-tags-without-images.html Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/tests/modules/photon/sample-content/blank.html Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/tests/modules/photon/sample-content/empty-a-tag.html Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/tests/modules/photon/sample-content/extra-attributes.html Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/tests/modules/photon/sample-content/minimum-multiple-with-links.html Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/tests/modules/photon/sample-content/minimum-multiple.html Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/tests/modules/photon/sample-content/minimum.html Copied /Users/lukasreschke/Downloads/jetpack/jetpack-3.5.2/tests/modules/photon/sample-content/multiline.html Ending file discovery... Serving data on 10.211.55.2 port 8000 ...
One has now to configure Burp Scanner to also perform static code analysis on passive scans, this can be done via:
- Static Code Analysis
- Enable: “Active and passive scanning”
After this is done the Spider has to be configured to also follow links to non-text content, this can be done via:
- Crawler Settings
- Uncheck “Ignore links to non-text content”
As a next step it is required to spider the specified host:
After spidering is done all entries should be black in the site map and not gray anymore. Now the final step is required by enabling the passive scan of the whole domain:
While some of the results will likely be false positives Burp might also find valid items, in this case Burp was able to identify the discussed vulnerability on it’s own:
Mitigations and what it means for ownCloud
As explained in an earlier blog post, Content-Security-Policy would indeed help to prevent such XSS problems. In this specific case however this was a static served resource and the CSP header would have to get applied by the web server.
At ownCloud we are thus considering and evaluating adding a Content-Security-Policy header also for static ressources for one of our upcoming major releases. The progress can be tracked on our GitHub page at issue core/16164.