Bypass of shared files password protection in “documents” application
Platform: ownCloud Server
Versions: 6.0.6, 7.0.3,
Risk level: Medium
The “documents” application is a collaborative web-based online editor for ODT files. Using this application you can easily share and collaborate on office documents.
Due to missing access control within the API of this application, the password-protection of shared files can be bypassed.
- ownCloud Server < 7.0.3 (CVE-2014-9048)
- ownCloud Server < 6.0.6 (CVE-2014-9048)
The “documents” application now verifies the password before granting access to shared files.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.