Improper authorization checks in core
Platform: ownCloud Server
Versions: 5.0.16, 6.0.3,
Date: 5/24/2014
Risk level: Medium
Description
Due to an improper authorization check in core an attacker with access to at least two user account is able to access the file names of other users.
Our post-mortem audit showed that this vulnerability does not leak any content of the file or the directory structure except the filename.
Affected Software
- ownCloud Server < 6.0.3 (CVE-2014-3838)
- ownCloud Server < 5.0.16 (CVE-2014-3838)
Action Taken
We added a permission check whether the account is allowed to share the specified file.
Acknowledgements
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Eddy Xu (flyingtest09@gmail.com) – Vulnerability discovery and disclosure.
- Robin Appelmann – ownCloud Inc. (icewind@owncloud.com) – Investigating the affected components and providing a patch.
- Lukas Reschke – ownCloud Inc. (lukas@owncloud.org) – Coordinating the patches.