Auth bypass in user_webdavauth and user_ldap
Platform: ownCloud Server
Versions: 4.0.10, 4.5.5,
Risk level: High
ownCloud 4.5.4, ownCloud 4.0.9 and all versions previous to this doesn’t sufficiently verify whether a request to settings.php was sent by an admin, which allows unauthenticated users to edit app configurations of user_webdavauth and user_ldap. An unauthenticated attacker may use this to gain access to any user account on the server if these plugins are enabled.
- ownCloud Server < 4.0.10 (CVE-2013-5665)
- ownCloud Server < 4.5.5 (CVE-2013-5665)
It is recommended that all instances are upgraded to ownCloud Server 4.5.5 or 4.0.10.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.