Security Advisory

Back to advisories

Mounted Dropbox storage allows "Dropbox.com" to access any file (oC-SA-2015-005)

24th June 2015

Risk level: Medium

CVSS v2 Base Score: 4.6 (AV:N/AC:H/Au:M/C:C/I:N/A:N)

CWE: Files or Directories Accessible to External Parties (CWE-552)

Description

A bug in the SDK used to connect ownCloud against the Dropbox server might allow the owner of "Dropbox.com" to gain access to any files on the ownCloud server if an external Dropbox storage was mounted.

This was caused by a feature of PHP (which has been turned off per default as of PHP 5.6.0) in the handling of POST values sent to the remote host. If a value was prefixed with @ the content of the value was replaced with the file name specified after the @.

Effectively this might allow "dropbox.com" to read any files on the server if the following requirements are met:

  • Server is running a PHP version below 5.6.0
  • An external Dropbox storage has been mounted in ownCloud
  • An authenticated user sends a specially crafted request to the mounted storage

Per default ownCloud does not include any Dropbox mounts.

Affected Software

  • ownCloud Server < 6.0.8 (CVE-2015-4715)
  • ownCloud Server < 7.0.6 (CVE-2015-4715)
  • ownCloud Server < 8.0.4 (CVE-2015-4715)

Action Taken

The ownCloud server component is now refusing to handle any files containing a @ on the Dropbox external storage. This is no regression as handling files containing said character was not reliably possible before as well.

The upcoming ownCloud Server 8.1 will contain a new version of the used library to connect to Dropbox which handles files with @ correctly.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke - ownCloud Inc. (lukas@owncloud.com) - Vulnerability discovery and disclosure.