Disclosure of users files when deleting parent folders of shared files
Platform: ownCloud Server
Versions: 6.0.9, 7.0.7, 8.0.5,
Risk level: Medium
CVSS v2 Base Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
Due to a common incorrect usage of the
getPath function of the ownCloud virtual filesystem multiple security issues occurred. Especially the function may return
null in case the specified file does not exist anymore. When passing the result of
getPath in combination with
null to functions that setup a virtual chroot or other security relevant limitations PHP would typecast the return value to an empty string and thus effectively bypassing the internal security functions of ownCloud.
getPath with a return type of
null is a common occurrence in case a folder has been shared publicly and the parent item has been deleted later from the database. Due to missing foreign keys the share is still considered valid and will finally resolve to the users’ root directory.
In such cases an adversary with knowledge of the sharing link to a deleted item may be able to access all files of the user and not only the original shared directory.
- ownCloud Server < 7.0.7 (CVE-2015-5954)
- ownCloud Server < 8.0.5 (CVE-2015-5954)
- ownCloud Server < 6.0.9 (CVE-2015-5954)
All usages of the
getPath function has been revised and corrected.
Furthermore, ownCloud 8.2 will feature another security hardening where instead of returning
null for invalid files now an exception is thrown. In case of an exception ownCloud will stop the script execution and also static source code analysis will make developers aware of such situations.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.