Mounted Dropbox storage allows “Dropbox.com” to access any file
Platform: ownCloud Server
Versions: 6.0.8, 7.0.6, 8.0.4,
Risk level: Medium
CVSS v2 Base Score: 4.6 (AV:N/AC:H/Au:M/C:C/I:N/A:N)
A bug in the SDK used to connect ownCloud against the Dropbox server might allow the owner of “Dropbox.com” to gain access to any files on the ownCloud server if an external Dropbox storage was mounted.
This was caused by a feature of PHP (which has been turned off per default as of PHP 5.6.0) in the handling of POST values sent to the remote host. If a value was prefixed with
@ the content of the value was replaced with the file name specified after the
Effectively this might allow “dropbox.com” to read any files on the server if the following requirements are met:
- Server is running a PHP version below 5.6.0
- An external Dropbox storage has been mounted in ownCloud
- An authenticated user sends a specially crafted request to the mounted storage
Per default ownCloud does not include any Dropbox mounts.
- ownCloud Server < 6.0.8 (CVE-2015-4715)
- ownCloud Server < 7.0.6 (CVE-2015-4715)
- ownCloud Server < 8.0.4 (CVE-2015-4715)
The ownCloud server component is now refusing to handle any files containing a
@ on the Dropbox external storage. This is no regression as handling files containing said character was not reliably possible before as well.
The upcoming ownCloud Server 8.1 will contain a new version of the used library to connect to Dropbox which handles files with
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.