lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <000301cd1d33$1774ca80$465e5f80$@tele-consulting.com>
Date: Wed, 18 Apr 2012 09:15:54 +0200 (CEST)
From: "Tobias Glemser" <tglemser@...e-consulting.com>
To: <bugtraq@...urityfocus.com>
Subject: TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0

TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0

Published: 2012/04/18
Version 1.0

Affected products:
    ownCloud version 3.0.0 (others not tested)
    http://owncloud.org

References: 
    TC-SA-2012-01 www.tele-consulting.com/advisories/TC-SA-2012-01.txt
(used for updates)
    CVE-2012-2269 - XSS in ownCloud 3.0.0
    CVE-2012-2270 - Open Redirect in ownCloud 3.0.0
	
Summary:
    "ownCloud gives you easy and universal access to all of your files.
     It also provides a platform to easily view, sync and share your 
     contacts, calendars, bookmarks and files across all your devices.
     ownCloud 3 brings loads of new features and hundreds of fixes"

Vulnerable Scripts:
    stored XSS:
     - /apps/contacts/ajax/addcard.php (any input field)
     - /apps/contacts/ajax/addproperty.php (parameter)
     - /apps/contacts/ajax/createaddressbook (name)

    reflected XSS:
     - /files/download.php (file)
     - /files/index.php (name, user, redirect_url)
	
    open redirect after login:
     - Login Page

Examples:
    stored XSS:
      - add a new contact and enter <script>alert("Help Me")</script> in
any field, save the contact
      - add a new date in calendar with name <script>alert("Help
Me")</script>"
      
    reflected XSS (un-authenticated):
      -
http://$domain/owncloud/index.php?redirect_url=1"><script>alert("Help
Me")</script><l=" (must not be logged in)

    open redirect after login:
      -
http://$domain/owncloud/index.php?redirect_url=http%3a//www.boeserangreife
r.de/

Possible solutions:
    - update to OwnCloud 3.0.2

Disclosure Timeline:
    2012/02/01 vendor contacted via #owncloud on freenode IRC, got E-Mail
    2012/02/01 vendor contacted via E-Mail
    2012/02/02 vendor response 
    2012/04/16 asked vendor for status updates
    2012/04/16 vendor status: patched with version 3.0.2
    2012/04/18 public disclosure

Credits:
    Tobias Glemser (tglemser@...e-consulting.com)
    Tele-Consulting security networking training GmbH, Germany
    www.tele-consulting.com
    
Disclaimer:
    All information is provided without warranty. The intent is to 
    provide information to secure infrastructure and/or systems, not
    to be able to attack or damage. Therefore Tele-Consulting shall 
    not be liable for any direct or indirect damages that might be 
    caused by using this information.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ