Bypass of file blacklist
Platform: ownCloud Server
Versions: 5.0.19, 6.0.7, 7.0.5,
Risk level: High
A blacklist bypass vulnerability including UTF-8 encoding in file paths in the mentioned ownCloud versions, allows authenticated remote attackers to bypass the file blacklist and upload files such as the
An attacker could leverage this bypass by uploading a
.htaccess and execute arbitrary PHP code if the
/data/ directory is stored inside the webroot and a webserver that interprets
.htaccess files is used (e.g. Apache)
ownCloud always recommends to move the
data directory outside of the web root.
- ownCloud Server < 7.0.5 (CVE-2015-3013)
- ownCloud Server < 6.0.7 (CVE-2015-3013)
- ownCloud Server < 5.0.19 (CVE-2015-3013)
The blacklist bypass has been fixed and unit tests has been added to prevent future regressions.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.