< go back to overview

Enumeration of shared files in documents

Platform: ownCloud Server

Versions: 6.0.3,

Date: 5/24/2014

Risk level: Low

Description

Due to using the auto-incrementing file_id instead of the random generated token to access files in the documents app an authenticated users could enumerate shared files of other users.

Affected Software

  • ownCloud Server < 6.0.3 (CVE-2014-3837)

Action Taken

We replaced the usage of file_id with our random generated file sharing token.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke – ownCloud Inc. (lukas@owncloud.org) – Vulnerability discovery and disclosure.

Share this