< go back to overview

Open Redirector involving user interaction

Platform: ownCloud Server

Versions: 7.0.14, 8.0.12, 8.1.7, 8.2.4, 9.0.2,

Date: 7/16/2016

Risk level: Low

CVSS v3 Base Score: 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CWE: URL Redirection to Untrusted Site (‘Open Redirect’) (CWE-601)

Description

The ‘Import root certificate’ ability that users are able to use once files_external is enabled allows users to import their own root certificates for connections. (e.g. server-to-server shares to servers using a self-signed certificate or external storages)
The functionality was using the PHP OpenSSL parsing functions for parsing these certificate files. Namely, `openssl_pkey_get_public` and `openssl_x509_parse`. It turned out that these internally call `php_openssl_x509_from_zval` which allow passing in a file:///
Therefore an attacker could pass a file beginning with `file://` and ownCloud would try to parse the corresponding file. This leads to a disclosure of arbitrary certificate files if the adversary can guess the correct path.

Affected Software

Action Taken

ownCloud is now preventing files that being with ‘file://’ from being parsed.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke – Vulnerability discovery and disclosure.

Share this