One of the most famous and appreciated open source platforms for creating file hosting and synchronization services is ownCloud. It is an open, cost-free solution designed to allow users to access, synchronize and share their data from various devices, such as computers, smartphones and tablets.
ownCloud provides a solution self-hosted ready to use: this means that users can install and manage the platform on a server they own. It is possible to set up a personal cloud server, possibly relying on a supplier cloudbut without sharing personal data and confidential information with any provider.
The ownCloud platform today boasts over 200 million users and allows you to access remotely to your files, be they documents, photos and other types of objects, wherever you have an Internet connection.
Beware of vulnerabilities that expose your ownCloud administrative password
After installation, administrators configure ownCloud settings, including users, groups, and access rights. The fact is that those responsible for the project have just confirmed the existence of three graves vulnerability safety features, identified inside the product.
ownCloud admin password at risk of theft
The most dangerous of the three can be exploited by malicious users for steal the administrative password of ownCloud and possibly use it without any authorization. Credential theft, as confirmed in this support document, can occur in containerized environmentsThis means that the attacker can steal the values of all variables set at the web server level.
The vulnerable component is graphapi (versions 0.2.0-0.3.0) but the problem comes from a dependency on a third-party library that exposes details about the PHP environment in use. This behavior leads to the display of ownCloud administrative passwords and mail server credentials.
The ownCloud developers recommend immediate deletion of the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.phpthe removal of the function phpinfo new container Docker e la change all passwords potentially exposed (ownCloud, email server, database credentials and S3/Object Store access keys).
Since the same file phpinfo can reveal technical details that can be exploited by attackers, the vulnerability in question is also relevant in non-containerized environments.
Bypass the authentication procedure
The second security issue, confirmed by the ownCloud developers, allows the procedure to be overcome authentication.
The flaw in question makes it possible for an attacker to access any file, modify it or delete it without first having to proceed with any form of authentication on ownCloud. All you need is to know one username valid, previously configured on the platform. The vulnerability is exploitable when users have not configured a signing key (signing-key), which is the default setting on ownCloud.
The solution is, in this case, to deny the use of Pre-signed URLs (pre-signed URLs) if a signing key has not been configured for the file owner. A pre-signed URL is a URL that includes a token of the firm, which allows anyone who owns the same URL to access a specific resource without having to authenticate separately. This is a process frequently used to provide temporary and limited access to some resources, such as a file saved on a cloud storage service.
Redirect to an attacker-controlled domain
A third vulnerability discovered in ownCloud allows an attacker to insert a Redirect URL specially designed code that bypasses validation code. In this way it becomes possible to redirect the callback (return requests) to an attacker-controlled domain rather than the legitimate domain.
The proposed solution consists in strengthening the validation code at the implementation level of the OAuth2 protocol. In particular, it is recommended to improve the process subdomain verification to prevent attackers from evading it with artfully manipulated redirect URLs.
Following the identification of the three vulnerabilities described, the developers of ownCloud invite users of the software to secure their installations through the suggested interventions. Furthermore, the suggestion is to update the libraries affected by safety problems as soon as possible.