Open source file sharing software ownCloud recently issued a warning regarding three critical security vulnerabilities, which may lead to data breaches and pose severe risks, including exposing sensitive information such as administrator passwords and mail server credentials.
For those unaware, ownCloud is an open-source file sync and sharing solution that develops and provides open-source software for content collaboration, allowing teams to easily share and work on files seamlessly regardless of device or location.
The first vulnerability, known as CVE-2023-49103, received the maximum CVSS v3 score of 10, which can be used to steal credentials and configuration information in containerized deployments, and can affect all components of the web server environment.
In GUI versions 0.2.0 through 0.3.0, the issue occurs due to dependency on a third-party library that exposes information about the PHP environment through a URL, revealing ownCloud administrator passwords, mail server credentials, and license keys.
The recommended fix involves deletion of owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php file, disabling the “phpinfo” function in Docker containers, and changing potentially exposed secrets such as the ownCloud admin password, mail server, database credentials, and Object-Store/S3 access keys.
“It’s important to emphasize that simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern,” the security advisory cautions.
Moving further, the second vulnerability has a CVSS v3 score of 9.8 and affects ownCloud’s core library versions 10.6.0 to 10.13.0.
This is an authentication bypass, which allows an attacker to access, modify, and delete any file as long as they know the user’s username and the user has not configured a signing key (default setting).
The proposed solution is to forbid the use of pre-signed URLs if no signing key is configured for the owner of the file.
Lastly, the third flaw, which has a CVSS v3 score of 9 is a subdomain validation bypass and pertains to the oauth2 library below version 0.6.1.
This vulnerability allows an attacker to enter a specially crafted redirect URL that bypasses the validation code and redirects callbacks to a malicious domain controlled by the attacker.
While the advised mitigation is to bolster the validation code in the Oauth2 app, a temporary workaround described in the security advisory is to disable the “Allow Subdomains” option.
The abovementioned three critical security vulnerabilities, if left unaddressed, can considerably affect the security and integrity of the ownCloud environment, allowing attackers to gain unauthorized access to sensitive information, manipulation or deletion of files, phishing attacks, and more.
Therefore, ownCloud administrators are strongly advised to implement recommended fixes and update ownCloud to the latest stable version to perform necessary library updates without delay in order to reduce the risks posed by the vulnerabilities and safeguard their valuable data.