< go back to overview

Local Path Disclosure when using Asset Pipeline

Platform: ownCloud Server

Versions: 7.0.3,

Date: 11/25/2014

Risk level: Low


ownCloud 7 introduced the so-called “Asset Pipeline”. It is disabled by default, but can be enabled by setting asset-pipeline.enabled to true in config.php

When the setting is enabled ownCloud concatenates all CSS and JS files into a single large blob file. Thus the amount of initial required requests to the ownCloud instance is lower and therefore the instance is loaded faster.

The generated files are stored on the local filesystem and use a filename that is generated by hashing the original CSS and JS absolute file paths using MD5.

Therefore, an attacker could perform a brute-force attack to gain the information under which path (e.g. /var/www/owncloud/) the ownCloud instance was installed.

Affected Software

  • ownCloud Server < 7.0.3 (CVE-2014-9044)

Action Taken

The filename is now generated by using relative file paths to the ownCloud installation. Therefore an attacker cannot brute-force the absolute paths anymore.


The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke – ownCloud Inc. (lukas@owncloud.com) – Vulnerability discovery and disclosure.

Share this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.