Open-source file-sharing and collaboration software ownCloud is plagued by critical vulnerabilities that could lead to the exposure of credentials and other sensitive information and to authentication and validation bypass.
The most serious issue, which carries a CVSS score of 10/10, impacts the graphapi app, which uses a third-party library providing a URL that, when accessed, reveals the PHP environment’s configuration details (phpinfo).
“This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key,” ownCloud warned in an advisory.
Additional sensitive data included in phpinfo may allow an attacker to gather further information about the system and the variable should be concerning for all administrators if ownCloud is not running in a containerized environment.
“It’s important to emphasize that simply disabling the graphapi app does not eliminate the vulnerability,” ownCloud notes. The issue impacts graphapi versions 0.2.0 to 0.3.0.
Administrators are advised to change the ownCloud admin password, the Object-Store/S3 access-key, and credentials for the mail server and database. “Additionally, we disabled the phpinfo function in our docker-containers. We will apply various hardenings in future core releases to mitigate similar vulnerabilities,” ownCloud added.
A second vulnerability, tagged with a CVSS severity score of 9.8/10, is described as an authentication bypass in the WebDAV API, through pre-signed URLs.
“It is possible to access, modify or delete any file without authentication if the username of the victim is known and the victim has no signing-key configured (which is the default),” ownCloud explained.
The bug impacts ownCloud core versions 10.6.0 to 10.13.0 and can be mitigated by denying the use of pre-signed URLs if there is no signing key configured for the file owner.
A third bug (CVSS score of 9/10), impacting the oauth2 app versions prior to 0.6.1, could lead to the bypass of subdomain validation.
“Within the oauth2 app an attacker is able to pass in a specially crafted redirect-URL which bypasses the validation code and thus allows the attacker to redirect callbacks to a TLD controlled by the attacker,” ownCloud said.