Code execution in /lib/filesystem.php
Platform: ownCloud Server
Versions: 4.0.10, 4.5.5,
Risk level: High
Incomplete blacklist vulnerability in lib/filesystem.php in ownCloud before 4.0.9 and 4.5.2 allows authenticated remote attackers to execute arbitrary code by uploading a file with a special crafted filename.
- ownCloud Server < 4.0.10 (CVE-2013-5665)
- ownCloud Server < 4.5.5 (CVE-2013-5665)
It is recommended that all instances are upgraded to ownCloud Server 4.5.5 or 4.0.10.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (email@example.com) – Vulnerability discovery and disclosure.