Security Advisory

Back to advisories

Multiple CSRF vulnerabilities (oC-SA-2013-004)

20th February 2013

Risk level: Medium

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud 4.5.6 and 4.0.11 and all prior versions before allows remote attackers to hijack the authentication for users via

  • the “lat” and “lng” POST parameters to guesstimezone.php in /apps/calendar/ajax/settings/ (CVE-2013-0299)
    • Commits: 452a626 (stable45), 015ac6a (stable4)
    • Risk: Negligible
    • Note: Successful exploitation of this CSRF requires the “calendar” app to be enabled (enabled by default).
    • Impact: An attacker may be able to change the timezone of the user.
  • the “timezonedetection” POST parameter to timezonedetection.php in /apps/calendar/ajax/settings/ (CVE-2013-0299)
    • Commits: 452a626 (stable45) , 97d0cee (stable4)
    • Risk: Negligible
    • Note: Successful exploitation of this CSRF requires the “calendar” app to be enabled (enabled by default).
    • Impact: An attacker may be able to disable or enable the automatic timezone detection.
  • the “admin_export” POST parameter to settings.php in /apps/admin_migrate/ (CVE-2013-0299)
    • Commits: bc93744 (stable45), 28dc89e (stable4)
    • Risk: Moderate
    • Note: Successful exploitation of this CSRF requires the “admin_migrate” app to be enabled (disabled by default).
    • Impact: An attacker may be able to import an user account.
  • the “operation” POST parameter to export.php in /apps/user_migrate/ajax/ (CVE-2013-0299)
    • Commits: 2de405a (stable45), de9befd (stable4)
    • Risk: Moderate
    • Note: Successful exploitation of this CSRF requires the “user_migrate” app to be enabled (disabled by default).
    • Impact: An attacker may be able to overwrite files of the logged in user.
  • multiple unspecified POST parameters to settings.php in /apps/user_ldap/ (CVE-2013-0299)
    • Commits: 5ec272d (stable45), b966095 (stable4)
    • Risk: High
    • Note: Successful exploitation of this CSRF requires the “user_ldap” app to be enabled (disabled by default).
    • Impact: An attacker may be able to change the authentication server URL.

Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud 4.5.6 and all prior versions (except 4.0.x) allows remote attackers to hijack the authentication for users via

  • the “v” POST parameter to changeview.php in /apps/calendar/ajax/ (CVE-2013-0300)
    • Commits: 452a626 (stable45)
    • Risk: Negligible
    • Note: Successful exploitation of this CSRF requires the “calendar” app to be enabled (enabled by default).
    • Impact: An attacker may be able to change the default view of an user.
  • multiple unspecified parameters to addRootCertificate.php, dropbox.php and google.php in /apps/files_external/ajax/ (CVE-2013-0300)
    • Commits: 2e819d6 + 24a7381e9f (stable45)
    • Risk: Medium
    • Note: Successful exploitation of this CSRF requires the “files_external” app to be enabled (disabled by default).
    • Impact: An attacker may be able to mount arbitrary Google Drive or Dropbox folders to the internal filesystem.
  • multiple unspecified POST parameters to settings.php in /apps/user_webdavauth/ (CVE-2013-0300)
    • Commits: 9282641 (stable45)
    • Risk: High
    • Note: Successful exploitation of this CSRF requires the “user_webdavauth” app to be enabled (disabled by default).
    • Impact: An attacker may be able to change the authentication server URL.

A cross-site request forgery (CSRF) vulnerability in ownCloud 4.0.11 and all prior versions allows remote attackers to hijack the authentication for users via

  • the “timezone” POST parameter to settimezone in /apps/calendar/ajax/settings/ (CVE-2013-0301)
    • Commits: 97d0cee (stable4)
    • Risk: Negligible
    • Note: Successful exploitation of this CSRF requires the “calendar” app to be enabled (enabled by default).
    • Impact: An attacker may be able to change the timezone of an user.

Affected Software

  • ownCloud Server < 4.5.7 (CVE-2013-0299, CVE-2013-0300)
  • ownCloud Server < 4.0.12 (CVE-2013-0299, CVE-2013-0301)

Action Taken

It is recommended that all instances are upgraded to ownCloud Server 4.5.7 or 4.0.12.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke - ownCloud Inc. (lukas@owncloud.org) - Vulnerability discovery and disclosure.