OwnCloud Server Bypass Intended Access Restrictions Vulnerabilities
23 Dec. 2015
The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider that NULL is a valid getPath return value, which allows remote authenticated users to bypass intended access restrictions and gain access to users files via a sharing link to a file with a deleted parent folder.
* ownCloud Server before 7.0.5 and 8.0.x before 8.0.4
* ownCloud Server after 7.0.5 and after 8.0.4
Due to not sanitising all user provided input, the "activity" application shipped with the mentioned ownCloud versions is vulnerable to stored cross-site scripting attacks. The "activity" application is enabled by default in the ownCloud Community Edition and Enterprise Edition. Successful exploitation requires that the adversary is able to create files containing the " character. This character is forbidden by default in any current ownCloud version except 8.1.0 RC1, thus an actual exploitation requires that the user has mounted an external storage within ownCloud where a user can create files with such characters. Alternatively an adversary may discover a way to circumvent the input validation. (ownCloud is not aware of a bypass of to the input validation) Furthermore the attacker must be able to share a folder containing the files with malicious filename with the victim.