< go back to overview

PHP arbitrary class instantiation in “files_external”

Platform: ownCloud Server

Versions: 7.0.9, 8.0.7, 8.1.2,

Date: 9/30/2015

Risk level: High

CVSS v2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)

CWE: Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) (CWE-470)


A user may instantiate arbitrary ownCloud classes due to a lack of a proper check of the mount point options provided by a user via the web front end. These may include constructor arguments and could potentially lead to a remote code execution.

Affected Software

Action Taken

The mount points are now properly validated in the controller before being stored.


The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Robin McCorkell – ownCloud Inc. (rmccorkell@owncloud.com) – Vulnerability discovery and disclosure.

Share this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.