< go back to overview

Mounted Dropbox storage allows “Dropbox.com” to access any file

Platform: ownCloud Server

Versions: 6.0.8, 7.0.6, 8.0.4,

Date: 6/24/2015

Risk level: Medium

CVSS v2 Base Score: 4.6 (AV:N/AC:H/Au:M/C:C/I:N/A:N)

CWE: Files or Directories Accessible to External Parties (CWE-552)


A bug in the SDK used to connect ownCloud against the Dropbox server might allow the owner of “Dropbox.com” to gain access to any files on the ownCloud server if an external Dropbox storage was mounted.

This was caused by a feature of PHP (which has been turned off per default as of PHP 5.6.0) in the handling of POST values sent to the remote host. If a value was prefixed with @ the content of the value was replaced with the file name specified after the @.

Effectively this might allow “dropbox.com” to read any files on the server if the following requirements are met:

  • Server is running a PHP version below 5.6.0
  • An external Dropbox storage has been mounted in ownCloud
  • An authenticated user sends a specially crafted request to the mounted storage

Per default ownCloud does not include any Dropbox mounts.

Affected Software

  • ownCloud Server < 6.0.8 (CVE-2015-4715)
  • ownCloud Server < 7.0.6 (CVE-2015-4715)
  • ownCloud Server < 8.0.4 (CVE-2015-4715)

Action Taken

The ownCloud server component is now refusing to handle any files containing a @ on the Dropbox external storage. This is no regression as handling files containing said character was not reliably possible before as well.

The upcoming ownCloud Server 8.1 will contain a new version of the used library to connect to Dropbox which handles files with @ correctly.


The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke – ownCloud Inc. (lukas@owncloud.com) – Vulnerability discovery and disclosure.

Share this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.