Potential local file disclosure
Platform: ownCloud Server
Risk level: High
ownCloud offers the
OC_Util::getUrlContent() to developers. Using this function applications can download content from remote websites.
Due to a newly introduced bug in this functionality it was following redirects to other protocols such as
file://. Thus, an attacker may be able to gain access to local files stored on the ownCloud instance.
- ownCloud Server < 7.0.3 (CVE-2014-9046)
OC_Util::getUrlContent() is now following only redirects to the
Some other functions have received further hardening as well to prevent potential bypasses of network restrictions. (In particular the “Download from URL” feature will not accept redirect to other protocols such as FTP anymore).
Those specific hardenings have been also applied to 6.0.6 and 5.0.18 but are not considered as security bugs by the ownCloud project.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.