Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAD1Nwhj5wYkmYBTX1C0Ct8tkS_rCKtAZm6XstNDO5hdLAry6BQ@mail.gmail.com>
Date: Tue, 22 Jan 2013 16:49:12 +0100
From: Lukas Reschke <lukas@...cloud.org>
To: oss-security@...ts.openwall.com
Cc: "security@...cloud.com" <security@...cloud.com>
Subject: ownCloud Security Advisories - 2013-001 & 2013-002

Multiple XSS vulnerabilities (oC-SA-2013-001)
=================================
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-001/

CVE IDENTIFIERS
==============
CVE-2013-0201, CVE-2013-0202, CVE-2013-0203

AFFECTED SOFTWARE
==================
ownCloud Server < 4.5.6
ownCloud Server < 4.0.11

DESCRIPTION
===========
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5
and 4.0.10 and all prior versions allow remote attackers to inject
arbitrary web script or HTML via

- the GET parameters to resetpassword.php in
core/lostpassword/templates/ (CVE-2013-0201)
  - Commits: c05c8ab (stable45), 4e2b834 (stable4)
  - Risk: Medium
  - Note: This is a reflected XSS, which can be only abused using
Internet Explorer 9 and prior.
- the mime parameter to mimeicon.php in apps/files/ajax/ (CVE-2013-0201)
  - Commits: b8e0309 (stable45), f603454 (stable4)
  - Risk: Medium
  - Note: This is a reflected XSS, which only affects ownCloud
versions hosted by Windows.
- the token parameter to sharing.php in apps/gallery/ (CVE-2013-0201)
  - Commits: 34ac2f5 (stable45), f71f0ad (stable4)
  - Risk: Medium
  - Note: This is a reflected XSS, for a successful exploitation the
"gallery" app needs to be enabled.
- the action parameter to sharing.php in core/ajax/ (CVE-2013-0202)
  - Commits: fb334f3 (stable45), 306d5ee (stable4)
  - Risk: Low
  - Note: This is a self XSS, for a successful exploitation the user
needs to enter malicious Javascript on his own.
- the POST parameters to new.php in apps/calendar/ajax/event/ (CVE-2013-0203)
  - Commits: 9e6ba80e (stable45), 708bd (stable4)
  - Risk: High
  - Note: This is a stored XSS, for a successful exploitation the
"calendar" app needs to be enabled. An authenticated remote attacker
may be able to share this crafted event with other users.
- the url parameter to addBookmark.php in apps/bookmarks/ajax/ (CVE-2013-0203)
  - Commits: 6aba1e8 (stable45), 3f37063 (stable4)
  - Risk: Low
  - Note: This is a stored XSS, for a successful exploitation the
"bookmarks" app needs to be enabled.

RESOLUTION
==========
Update to ownCloud Server 4.5.6 or 4.0.11
http://mirrors.owncloud.org/releases/owncloud-4.5.6.tar.bz2
http://mirrors.owncloud.org/releases/owncloud-4.0.11.tar.bz2

CREDITS
=======
The ownCloud Team would like to thank Mathias Karlsson
(CVE-2013-0201), Ahmad Ashraff (CVE-2013-0202) and Frans Rosén
(CVE-2012-0203) for discovering this vulnerabilities.


=======================================================================


Code execution in external storage (oC-SA-2013-002)
======================================
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-002/

CVE IDENTIFIER
=============
CVE-2013-0204

AFFECTED SOFTWARE
==================
ownCloud Server < 4.5.6

RISK
====
Critical

COMMIT
======
0825f2c (stable45)

DESCRIPTION
===========
Due to not sufficiently sanitizing the user input in
“settings/personal.php” in ownCloud 4.5.x before 4.5.11 an
authenticated remote attackers may be able to execute arbitrary code
by entering special crafted PHP code in the mount point settings.

Note: For a successful exploitation the “external storage” app needs
to be enabled and the admin must allow users to edit their mount
points.

RESOLUTION
==========
Update to ownCloud Server 4.5.6
http://mirrors.owncloud.org/releases/owncloud-4.5.6.tar.bz2

CREDITS
=======
The ownCloud Team would like to thank Yuji Kosuga for discovering this
vulnerability.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.