< go back to overview

Disclosure of users files when deleting parent folders of shared files

Platform: ownCloud Server

Versions: 6.0.9, 7.0.7, 8.0.5,

Date: 8/3/2015

Risk level: Medium

CVSS v2 Base Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)

CWE: Unchecked Return Value (CWE-252)


Due to a common incorrect usage of the getPath function of the ownCloud virtual filesystem multiple security issues occurred. Especially the function may return null in case the specified file does not exist anymore. When passing the result of getPath in combination with null to functions that setup a virtual chroot or other security relevant limitations PHP would typecast the return value to an empty string and thus effectively bypassing the internal security functions of ownCloud.

getPath with a return type of null is a common occurrence in case a folder has been shared publicly and the parent item has been deleted later from the database. Due to missing foreign keys the share is still considered valid and will finally resolve to the users’ root directory.

In such cases an adversary with knowledge of the sharing link to a deleted item may be able to access all files of the user and not only the original shared directory.

Affected Software

  • ownCloud Server < 7.0.7 (CVE-2015-5954)
  • ownCloud Server < 8.0.5 (CVE-2015-5954)
  • ownCloud Server < 6.0.9 (CVE-2015-5954)

Action Taken

All usages of the getPath function has been revised and corrected.

Furthermore, ownCloud 8.2 will feature another security hardening where instead of returning null for invalid files now an exception is thrown. In case of an exception ownCloud will stop the script execution and also static source code analysis will make developers aware of such situations.


The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke – ownCloud Inc. (lukas@owncloud.com) – Vulnerability discovery and disclosure.

Share this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.