Local Path Disclosure when using Asset Pipeline
Platform: ownCloud Server
Risk level: Low
ownCloud 7 introduced the so-called “Asset Pipeline”. It is disabled by default, but can be enabled by setting asset-pipeline.enabled to true in config.php
When the setting is enabled ownCloud concatenates all CSS and JS files into a single large blob file. Thus the amount of initial required requests to the ownCloud instance is lower and therefore the instance is loaded faster.
The generated files are stored on the local filesystem and use a filename that is generated by hashing the original CSS and JS absolute file paths using MD5.
Therefore, an attacker could perform a brute-force attack to gain the information under which path (e.g.
/var/www/owncloud/) the ownCloud instance was installed.
- ownCloud Server < 7.0.3 (CVE-2014-9044)
The filename is now generated by using relative file paths to the ownCloud installation. Therefore an attacker cannot brute-force the absolute paths anymore.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (email@example.com) – Vulnerability discovery and disclosure.