Host Header Poisoning
Platform: ownCloud Server
Versions: 5.0.15, 6.0.2,
Risk level: Medium
Due to trusting user supplied input and interpret it as Host header an attacker is able to craft a password reset mail with a link pointing to his own site. If a user clicks on the link or a software (e.g. antivirus) is accessing the link the attacker is able to reset the user password.
- ownCloud Server < 6.0.2 (CVE-2014-2047)
- ownCloud Server < 5.0.15 (CVE-2014-2049)
The new ‘trusted_domain’ setting has been introduced in which all domains from which ownCloud should be accessible has to be specified. A default configuration can be found in config/config.sample.php.
ownCloud will add this configuration setting on its own during an update or a fresh installation using the currently used domain.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.