< go back to overview

Bypass of file blacklist on Microsoft Windows Platform

Platform: ownCloud Server

Versions: 5.0.19, 6.0.7, 7.0.5,

Date: 3/25/2015

Risk level: High


A blacklist bypass vulnerability including UTF-8 encoding in file paths in the mentioned ownCloud Server versions, when running on a Microsoft Windows Platform, allows authenticated remote attackers to bypass the file blacklist and upload files such as the .htaccess files.

An attacker could leverage this bypass by uploading a .htaccess and execute arbitrary PHP code if the /data/ directory is stored inside the webroot and a webserver that interprets .htaccess files is used (e.g. Apache)

ownCloud always recommends to move the data directory outside of the web root.

Affected Software

  • ownCloud Server < 7.0.5 (CVE-2015-3013)
  • ownCloud Server < 6.0.7 (CVE-2015-3013)
  • ownCloud Server < 5.0.19 (CVE-2015-3013)

Action Taken

The blacklist bypass has been fixed and unit tests has been added to prevent future regressions.


The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke – ownCloud Inc. (lukas@owncloud.org) – Vulnerability discovery and disclosure.

Share this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.