Incomplete blacklist vulnerability
Platform: ownCloud Server
Versions: 4.0.13, 4.5.8,
Risk level: High
Incomplete blacklist vulnerability in apps/contacts/import.php and apps/contacts/ajax/uploadimport.php in ownCloud before 4.0.13 and 4.5.8 allows an authenticated remote attacker to upload a .htaccess file and therefore the execution of arbitrary PHP code in a standard Apache installation.
- ownCloud Server < 4.5.8 (CVE-2013-1850)
- ownCloud Server < 4.0.13 (CVE-2013-1850)
It is recommended that all instances are upgraded to ownCloud Server 4.5.8 or 4.0.13.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.