< go back to overview

Local file disclosure due to the preview system

Platform: ownCloud Server

Versions: 6.0.6, 7.0.3,

Date: 11/25/2014

Risk level: High

Description

ownCloud includes a preview system which generates the small thumbnails shown in the file list of the web interface. This functionality can be controlled with the enable_previews switch in config.php and is enabled by default.

Multiple unspecified vulnerabilities have been found within the preview system. Using these vulnerabilities an authenticated adversary (or an unauthenticated one if public uploads are enabled) may be able to extract local files from the ownCloud system.

Affected Software

  • ownCloud Server < 7.0.3 (CVE-2014-9047)
  • ownCloud Server < 6.0.6 (CVE-2014-9047)

Action Taken

An additional configuration switch has been added to config.php. The enabledPreviewProviders option allows defining which preview providers are enabled.

By default the preview system is now only generating thumbnails for images and plain-text based formats. File formats that may leak local file content have been disabled by default.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke – ownCloud Inc. (lukas@owncloud.com) – Vulnerability discovery and disclosure.

Share this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close