OwnCloud

Open source file sharing software ownCloud is warning of three critical-severity security vulnerabilities, including one that can expose administrator passwords and mail server credentials.

ownCloud is an open-source file sync and sharing solution designed for individuals and organizations wishing to manage and share files through a self-hosted platform.

It is used by businesses and enterprises, educational institutes, government agencies, and privacy-conscious individuals who prefer to maintain control over their data rather than hosting it at third-party cloud storage providers. OwnCloud's site reports 200,000 installs, 600 enterprise customers, and 200 million users.

The software consists of multiple libraries and components that work together to provide a range of functionalities for the cloud storage platform.

Severe data breach risks

The development team behind the project issued three security bulletins earlier this week, warning of three different flaws in ownCloud's components that could severely impact its integrity.

The first flaw is tracked as CVE-2023-49103 and received a maximum CVSS v3 score of 10. The flaw can be used to steal credentials and configuration information in containerized deployments, impacting all environment variables of the webserver.

Impacting graphapi 0.2.0 through 0.3.0, the problem arises from the app's dependency on a third-party library that exposes PHP environment details through a URL, exposing ownCloud admin passwords, mail server credentials, and license keys.

The recommended fix is to delete the 'owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php' file, disable the 'phpinfo' function in Docker containers, and change potentially exposed secrets like the ownCloud admin password, mail server, database credentials, and Object-Store/S3 access keys.

"It's important to emphasize that simply disabling the graphapi app does not eliminate the vulnerability," warns the security bulletin.

"Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern."

The second issue, with a CVSS v3 score of 9.8, impacts ownCloud core library versions 10.6.0 to 10.13.0, and is an authentication bypass problem.

The flaw makes it possible for attackers to access, modify, or delete any file without authentication if the user's username is known and they have not configured a signing-key (default setting).

The published solution is to deny the use of pre-signed URLs if no signing key is configured for the owner of the files.

The third and less severe flaw (CVSS v3 score: 9) is a subdomain validation bypass issue impacting all versions of the oauth2 library below 0.6.1.

In the oauth2 app, an attacker can input a specially crafted redirect URL that bypasses the validation code, allowing redirection of callbacks to a domain controlled by the attacker.

The recommended mitigation is to harden the validation code in the Oauth2 app. A temporary workaround shared in the bulletin is to disable the "Allow Subdomains" option.

The three security flaws described in the bulletins significantly impact the security and integrity of the ownCloud environment, potentially leading to exposure of sensitive information, stealthy data theft, phishing attacks, and more.

Security vulnerabilities in file-sharing platforms have been under constant attack, with ransomware groups, like CLOP, using them in data theft attacks on thousnads of companies worldwide.

Due to this, it's critical for ownCloud administrators to immediately apply the recommended fixes and perform the library updates as soon as possible to mitigate these risks.

Related Articles:

Juniper releases out-of-cycle fix for max severity auth bypass flaw

Critical GitLab bug lets attackers run pipelines as any user

Dev rejects CVE severity, makes his GitHub repo read-only

Exploit for critical Fortra FileCatalyst Workflow SQLi flaw released

Hackers target new MOVEit Transfer critical auth bypass bug