< go back to overview

Potential local file disclosure

Platform: ownCloud Server

Versions: 7.0.3,

Date: 11/25/2014

Risk level: High


ownCloud offers the OC_Util::getUrlContent() to developers. Using this function applications can download content from remote websites.

Due to a newly introduced bug in this functionality it was following redirects to other protocols such as file://. Thus, an attacker may be able to gain access to local files stored on the ownCloud instance.

Affected Software

  • ownCloud Server < 7.0.3 (CVE-2014-9046)

Action Taken

OC_Util::getUrlContent() is now following only redirects to the HTTP and HTTPS protocols.
Some other functions have received further hardening as well to prevent potential bypasses of network restrictions. (In particular the “Download from URL” feature will not accept redirect to other protocols such as FTP anymore).

Those specific hardenings have been also applied to 6.0.6 and 5.0.18 but are not considered as security bugs by the ownCloud project.


The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke – ownCloud Inc. (lukas@owncloud.com) – Vulnerability discovery and disclosure.

Share this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.