Flooding logfiles with a 1 Bit BMP File
Platform: ownCloud Server
Versions: 8.1.11, 8.2.9, 9.0.7, 9.1.3,
Date: 2/2/2017
Risk level: Medium
CVSS v3 Base Score: 4.1 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N)
CWE: Logging of Excessive Data (CWE-779)
Description
An Attacker can upload a 1 Bit BMP File and the server hangs and doesn’t stop to populate a logfile
Affected Software
- ownCloud Server < 9.1.3 (CVE-2017-5867)
- ownCloud Server < 9.0.7 (CVE-2017-5867)
- ownCloud Server < 8.2.9 (CVE-2017-5867)
- ownCloud Server < 8.1.11 (CVE-2017-5867)
Action Taken
Suppress error messages with 1 Bit BMP Files
Acknowledgements
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory: