< go back to overview

LDAP injection

Platform: ownCloud Server

Versions: 5.0.15, 6.0.2,

Date: 7/3/2014

Risk level: Medium

Description

Due to not properly sanitizing the LDAP queries an attacker is able to:

  • Gain information about existing LDAP users
  • Modify the login query, e.g. with a wildcard

Affected Software

  • ownCloud Server < 6.0.2 (CVE-2014-2047)
  • ownCloud Server < 5.0.15 (CVE-2014-2049)

Action Taken

All LDAP queries have been reviewed and proper sanitization added.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke – ownCloud Inc. (lukas@owncloud.org) – Vulnerability discovery and disclosure.

Share this