Code execution in /lib/migrate.php
Platform: ownCloud Server
Risk level: High
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitrary code by uploading a crafted .htaccess file in an import.zip file and accessing an uploaded PHP file.
- ownCloud Server < 4.0.7 (CVE-2012-4389)
It is recommended that all instances are upgraded to ownCloud Server 4.0.7.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Julien Cayssol – Vulnerability discovery and disclosure.