Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAD1NwhjR2UN5rz5V+_fkLNj2pa1s9f541A14VieevDRPS01fFA@mail.gmail.com>
Date: Tue, 14 May 2013 18:02:12 +0200
From: Lukas Reschke <lukas@...cloud.org>
To: Open Source Security <oss-security@...ts.openwall.com>
Cc: ownCloud Security Team <security@...cloud.com>, announcements@...cloud.org
Subject: ownCloud Security Advisories oC-SA-0{19-27}

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

# Multiple SQL Injections (oC-SA-2013-019)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-019/

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.6 (CVE-2013-2045)
- ownCloud Server < 4.5.11 (CVE-2013-2046)

## CVE IDENTIFIERS
- CVE-2013-2045
- CVE-2013-2046

## RISK
- Critical

## Commits
### CVE-2013-2045
- stable5: [e8bedd](https://github.com/owncloud/core/commit/3e8beddfe357e334bc382135fe6cba0f346492e8)
### CVE-2013-2046
- stable45: [582c3ed](https://github.com/owncloud/bookmarks/commit/582c3ed)

## DESCRIPTION
ownCloud before 5.0.6 does not neutralize special elements that are
passed to the SQL query in lib/db.php which therefore allows an
authenticated attacker to execute arbitrary SQL commands.
(CVE-2013-2045)

ownCloud before 5.0.6 and 4.5.11 does not neutralize special elements
that are passed to the SQL query in lib/bookmarks.php which therefore
allows an authenticated attacker to execute arbitrary SQL commands.
(CVE-2013-2046)

## Credits
The ownCloud Team would like to thank Mateusz Goik (aliantsoft.pl /
CVE-2013-2045) for discovering this vulnerability.

## RESOLUTION
Update to ownCloud Server 5.0.6 or 4.5.11
http://download.owncloud.org/community/owncloud-5.0.6.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.11.tar.bz2

---------------

# Multiple directory traversals (oC-SA-2013-020)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-020/

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.6 (CVE-2013-2039, CVE-2013-2085)
- ownCloud Server < 4.5.11 (CVE-2013-2039)
- ownCloud Server < 4.0.15 (CVE-2013-2039)

## RISK
- Critical

## COMMITS
### CVE-2013-2039
- stable5: [a7f1269](https://github.com/owncloud/core/commit/a7f1269)
- stable45: [6be497c](https://github.com/owncloud/core/commit/6be497c)
- stable4: [d38c7a1](https://github.com/owncloud/core/commit/d38c7a1)

### CVE-2013-2085
- stable5: [1dfb757](https://github.com/owncloud/core/commit/1dfb757)

## DESCRIPTION
Multiple directory traversal vulnerabilities in (1)
apps/files_trashbin/index.php via the "dir" GET parameter and (2)
lib/files/view.php via undefined vectors in all ownCloud versions
prior to 5.0.6 and other versions before 4.0.15, allow authenticated
remote attackers to get access to arbitrary local files.

## Credits
The ownCloud Team would like to thank Mateusz Goik (aliantsoft.pl) for
discovering this vulnerabilities.

## RESOLUTION
Update to ownCloud Server 5.0.6, 4.5.11 or 4.0.15
http://download.owncloud.org/community/owncloud-5.0.6.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.11.tar.bz2
http://download.owncloud.org/community/owncloud-4.0.15.tar.bz2

---------------

# Multiple XSS vulnerabilities (oC-SA-2013-021)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-021/

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.6 (CVE-2013-2040, CVE-2013-2041, CVE-2013-2042)
- ownCloud Server < 4.5.11 (CVE-2013-2040, CVE-2013-2042)
- ownCloud Server < 4.0.15 (CVE-2013-2040, CVE-2013-2042)

## RISK
- Medium

## COMMITS
### CVE-2013-2040
- stable5: [8e61602](https://github.com/owncloud/apps/commit/8e61602)
- stable45: [f9aeaa6](https://github.com/owncloud/apps/commit/f9aeaa6)
- stable4: [1fb796c](https://github.com/owncloud/apps/commit/1fb796c)
### CVE-2013-2041
- stable5: [b38a1adf](https://github.com/owncloud/core/commit/b38a1adf),
[95b45a2](https://github.com/owncloud/bookmarks/commit/95b45a2)
### CVE-2013-2042
- stable5: [a22cb98](https://github.com/owncloud/bookmarks/commit/a22cb98)
- stable45: [f1fdeb2](https://github.com/owncloud/bookmarks/commit/f1fdeb2)
- stable4: [df54cd](https://github.com/owncloud/core/commit/df54cd5d47951098aa208a01d884d79aa5c0e333)

## DESCRIPTION
Cross-site scripting (XSS) vulnerabilities in multiple files inside
the media application via multiple unspecified vectors in all ownCloud
versions prior to 5.0.6 and other versions before 4.0.15 allows
authenticated remote attackers to inject arbitrary web script or HTML.
(CVE-2013-2040)

Cross-site scripting (XSS) vulnerabilities in (1)
apps/bookmarks/ajax/editBookmark.php via the "tag" GET parameter
(CVE-2013-2041) and in (2) apps/files/js/files.js via the "dir" GET
parameter to apps/files/ajax/newfile.php (CVE-2013-2041) in ownCloud
5.0.x before 5.0.6 allows authenticated remote attackers to inject
arbitrary web script or HTML.

Cross-site scripting (XSS) vulnerabilities in (1)
apps/bookmarks/ajax/addBookmark.php via the "url" GET parameter and in
(2) apps/bookmarks/ajax/editBookmark.php via the "url" POST parameter
in ownCloud 5.0.x before 5.0.6 allows authenticated remote attackers
to inject arbitrary web script or HTML. (CVE-2013-2042)

## Credits
The ownCloud Team would like to thank Mateusz Goik (aliantsoft.pl /
CVE-2013-2040 / CVE-2013-2041) and Kacper R. (http://devilteam.pl /
CVE-2013-2042) for discovering this vulnerabilities.

## RESOLUTION
Update to ownCloud Server 5.0.6, 4.5.11 or 4.0.15
http://download.owncloud.org/community/owncloud-5.0.6.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.11.tar.bz2
http://download.owncloud.org/community/owncloud-4.0.15.tar.bz2

---------------

# Open redirector (oC-SA-2013-022)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-022/

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.6

## RISK
- Low

# CVE
- CVE-2013-2044

## COMMITS
- stable5: [bb3d39f](https://github.com/owncloud/core/commit/bb3d39f)

## DESCRIPTION
Open redirect vulnerability in index.php (aka the Login Page) in
ownCloud before 5.0.6 allows remote attackers to redirect users to
arbitrary web sites and conduct phishing attacks via a URL in the
redirect_url parameter.

## Credits
The ownCloud Team would like to thank Mateusz Goik (aliantsoft.pl /
CVE-2013-2044) for discovering this vulnerability.

## RESOLUTION
Update to ownCloud Server 5.0.6
http://download.owncloud.org/community/owncloud-5.0.6.tar.bz2

---------------

# Password autocompletion (oC-SA-2013-023)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-023/

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.6

## RISK
- Low

# CVE
- CVE-2013-2047

## COMMITS
- stable5: [2030037](https://github.com/owncloud/core/commit/2030037),
[794ed99](https://github.com/owncloud/core/commit/794ed99)

## DESCRIPTION
Index.php (aka the login page) contains a form that does not disable
the autocomplete setting for the password parameter, which makes it
easier for local users or physically proximate attackers to obtain the
password from web browsers that support autocomplete.

## RESOLUTION
Update to ownCloud Server 5.0.6
http://download.owncloud.org/community/owncloud-5.0.6.tar.bz2

---------------

# Privilege escalation in the calendar application (oC-SA-2013-024)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-024/

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.6
- ownCloud Server < 4.5.11

## RISK
- High

# CVE
- CVE-2013-2043

## COMMITS
- stable5: [7223754](https://github.com/owncloud/calendar/commit/7223754)
- stable45: [68daff4](https://github.com/owncloud/calendar/commit/68daff4)

## DESCRIPTION
Due to not properly checking the ownership of an calendar, an
authenticated attacker is able to download calendars of other users
via the "calendar_id" GET parameter to /apps/calendar/ajax/events.php

Note: Successful exploitation of this privilege escalation requires
the "calendar" app to be enabled (enabled by default).

## Credits
The ownCloud Team would like to thank Mateusz Goik (aliantsoft.pl) for
discovering this vulnerability.

## RESOLUTION
Update to ownCloud Server 5.0.6 or 4.5.11
http://download.owncloud.org/community/owncloud-5.0.6.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.11.tar.bz2

---------------

# Privilege escalation and CSRF in the API (oC-SA-2013-025)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-025/

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.6

## RISK
- High

# CVE
- CVE-2013-2048

## COMMITS
- stable5: [3bcd10a](https://github.com/owncloud/calendar/commit/3bcd10a)

## DESCRIPTION
Due to an insufficient permission check, an authenticated attacker is
able to execute API commands as administrator. Additionally, an
unauthenticated attacker could abuse this flaw as a cross-site request
forgery vulnerability.

## RESOLUTION
Update to ownCloud Server 5.0.6
http://download.owncloud.org/community/owncloud-5.0.6.tar.bz2

---------------

# Incomplete blacklist vulnerability (oC-SA-2013-026)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-026/

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.6 (running under Apache)

## CVE IDENTIFIERS
- TBD (already requested)

## RISK
- Critical

## COMMITS
- stable5: [35b1f40](https://github.com/owncloud/core/commit/35b1f40)

## DESCRIPTION
Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows
authenticated remote attackers to execute arbitrary PHP code by
uploading a crafted file and accessing an uploaded PHP file.

Note: Successful exploitation requires that the /data/ directory is
stored inside the webroot and a webserver that interprets .htaccess
files (e.g. Apache)

## RESOLUTION
Update to ownCloud Server 5.0.6
http://download.owncloud.org/community/owncloud-5.0.6.tar.bz2

---------------

# CSRF token leakage (oC-SA-2013-027)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-027/

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.6

## CVE IDENTIFIERS
- CVE-2013-2086

## RISK
- Medium

## COMMITS
- stable5: [9a53d50](https://github.com/owncloud/core/commit/9a53d50)

## DESCRIPTION
The configuration loader in ownCloud 5.0.x before 5.0.6 includes
private data such as CSRF tokens in a JavaScript file, which allows
remote attackers to obtain sensitive information.

## RESOLUTION
Update to ownCloud Server 5.0.6
http://download.owncloud.org/community/owncloud-5.0.6.tar.bz2

--
ownCloud
Your Cloud, Your Data, Your Way!

GPG: 0xEB32B77BA406BE99
-----BEGIN PGP SIGNATURE-----

wsFcBAEBAgAQBQJRkl/cCRDrMrd7pAa+mQAA3YYQAL6dExigxrE4GA+IZVeK
6mdFBtsOfzoOHKKaBfN2l0s7cG93BQ2kF8LRvJ5OEG81AuCzsvnGA1thE0om
z2vj8GLEFcP+OPVEDOaXBCe+kVdBN5X2+2Yrs74vCU6xwmbxIOu7F51c5LYp
j3IZnMmflfNu4+TjKmpvkxSkG4gpouc0AG6Yi5wehxpHCezPVLxW4hkYaD7D
I/pwnpY8qPwgCG/Vifr3bxA13U+fBibZHO1Rv4mz0GQi1UoMVQ4pHMOgg0+S
SA6Gq1qnLdoRyujs2kJ4N/1KZueIb1SklKwj8hwfRcD3U9e1U3jcYOEQnwE2
nBriUB2dCHokWn6rHLgJ4AMGXeME0wZFgN8SPfGL1F1CU0RJi4vvMKZyPJ+/
89S5UqV0h7w2UB6VV60NQ3pDadBFW89ggW6E67qV3ejTn99PYgyd/3xsw/zd
ulGUhl/O1lgcOroPaHlRRNj22gx/xn49M0aWoYnCayNLO6RzwIEoInivK8PE
Y2PLKakhat6MgZo5Wq8Wf/KzU17tDKaZYvUwYOwWZIFyy73w+bhIYfSQzuib
FA9lwL8Yygl5nMK3V0u9n1MIdoiQ4UvWcqxRfcOxqrn91FA3R7Gwm3FBW0ct
s/1Rpv0HWSxrlMQSz2dv77UIldWy+ExqPM+wVlVk3EzKaVs2rfue8rW4m9wX
48Bh
=93V1
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.