< go back to overview

Improper authorization checks in core

Platform: ownCloud Server

Versions: 5.0.16, 6.0.3,

Date: 5/24/2014

Risk level: Medium

Description

Due to an improper authorization check in core an attacker with access to at least two user account is able to access the file names of other users.

Our post-mortem audit showed that this vulnerability does not leak any content of the file or the directory structure except the filename.

Affected Software

  • ownCloud Server < 6.0.3 (CVE-2014-3838)
  • ownCloud Server < 5.0.16 (CVE-2014-3838)

Action Taken

We added a permission check whether the account is allowed to share the specified file.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Eddy Xu (flyingtest09@gmail.com) – Vulnerability discovery and disclosure.
  • Robin Appelmann – ownCloud Inc. (icewind@owncloud.com) – Investigating the affected components and providing a patch.
  • Lukas Reschke – ownCloud Inc. (lukas@owncloud.org) – Coordinating the patches.

Share this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close