PHP arbitrary class instantiation in “files_external”
Platform: ownCloud Server
Versions: 7.0.9, 8.0.7, 8.1.2,
Risk level: High
CVSS v2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
A user may instantiate arbitrary ownCloud classes due to a lack of a proper check of the mount point options provided by a user via the web front end. These may include constructor arguments and could potentially lead to a remote code execution.
- ownCloud Server < 8.1.2 (CVE-2015-7699)
- ownCloud Server < 8.0.7 (CVE-2015-7699)
- ownCloud Server < 7.0.9 (CVE-2015-7699)
The mount points are now properly validated in the controller before being stored.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Robin McCorkell – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.