CSRF in “bookmarks” application
Platform: ownCloud Server
Versions: 5.0.18, 6.0.6, 7.0.3,
Risk level: Low
Due to not verifying the CSRF token on the import functionality of the “bookmarks” application, it was vulnerable against CSRF attacks.
The “bookmarks” application is disabled by default.
An unauthenticated attacker could have used this to import bookmarks into the “bookmarks” application if the victim visits a specially crafted website and is logged-in into the ownCloud instance at the same time.
Furthermore, an unauthenticated attacker could leverage this vulnerability with oC-SA-2014-028 resulting in a potential Cross-site scripting vulnerability.
- ownCloud Server < 7.0.3 (CVE-2014-9041)
- ownCloud Server < 6.0.6 (CVE-2014-9041)
- ownCloud Server < 5.0.18 (CVE-2014-9041)
The import functionality is now verifying the CSRF token.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Alain Homewood – PwC New Zealand – Vulnerability discovery and disclosure.