Incomplete blacklist vulnerability
Platform: ownCloud Server
Risk level: High
Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows authenticated remote attackers to execute arbitrary PHP code by uploading a crafted file and accessing an uploaded PHP file.
Note: Successful exploitation requires that the /data/ directory is stored inside the webroot and a webserver that interprets .htaccess files (e.g. Apache)
- ownCloud Server < 5.0.6 (CVE-2013-2089)
It is recommended that all instances are upgraded to ownCloud Server 5.0.6.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.