Security Advisory

Back to advisories

Multiple code executions (oC-SA-2013-006)

20th February 2013

Risk level: High

Description

A code executions vulnerability in ownCloud 4.5.6 and 4.0.11 and all prior versions allow authenticated remote attackers to execute arbitrary PHP code via

  • unspecified POST parameters to translations.php in /core/ajax/
    • Commits: 74e73bc (stable4), ece08cd (stable45)
    • Risk: Critical

A code executions vulnerability in ownCloud 4.5.6 and all prior versions (except ownCloud 4.0.x) allow authenticated remote attackers to execute arbitrary PHP code via

  • unspecified POST parameters to settings.php in /core/
    • Commits: 746aa0 (stable45)
    • Risk: Critical

Affected Software

  • ownCloud Server < 4.5.7 (CVE-2013-0303)
  • ownCloud Server < 4.0.12 (CVE-2013-0303)

Action Taken

It is recommended that all instances are upgraded to ownCloud Server 4.5.7 or 4.0.12.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke - ownCloud Inc. (lukas@owncloud.org) - Vulnerability discovery and disclosure.