PHP arbitrary class instantiation in “files_external”
Platform: ownCloud Server
Versions: 7.0.9, 8.0.7, 8.1.2,
Date: 9/30/2015
Risk level: High
CVSS v2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) (CWE-470)
Description
A user may instantiate arbitrary ownCloud classes due to a lack of a proper check of the mount point options provided by a user via the web front end. These may include constructor arguments and could potentially lead to a remote code execution.
Affected Software
- ownCloud Server < 8.1.2 (CVE-2015-7699)
- ownCloud Server < 8.0.7 (CVE-2015-7699)
- ownCloud Server < 7.0.9 (CVE-2015-7699)
Action Taken
The mount points are now properly validated in the controller before being stored.
Acknowledgements
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Robin McCorkell – ownCloud Inc. (rmccorkell@owncloud.com) – Vulnerability discovery and disclosure.