Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27954
HistoryApr 23, 2012 - 12:00 a.m.

TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0

2012-04-2300:00:00
vulners.com
22
JSON

TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0

Published: 2012/04/18
Version 1.0

Affected products:
ownCloud version 3.0.0 (others not tested)
http://owncloud.org

References:
TC-SA-2012-01 www.tele-consulting.com/advisories/TC-SA-2012-01.txt
(used for updates)
CVE-2012-2269 - XSS in ownCloud 3.0.0
CVE-2012-2270 - Open Redirect in ownCloud 3.0.0

Summary:
"ownCloud gives you easy and universal access to all of your files.
It also provides a platform to easily view, sync and share your
contacts, calendars, bookmarks and files across all your devices.
ownCloud 3 brings loads of new features and hundreds of fixes"

Vulnerable Scripts:
stored XSS:
- /apps/contacts/ajax/addcard.php (any input field)
- /apps/contacts/ajax/addproperty.php (parameter)
- /apps/contacts/ajax/createaddressbook (name)

reflected XSS:
 - /files/download.php (file)
 - /files/index.php (name, user, redirect_url)
    
open redirect after login:
 - Login Page

Examples:
stored XSS:
- add a new contact and enter <script>alert("Help Me")</script> in
any field, save the contact
- add a new date in calendar with name <script>alert("Help
Me")</script>"

reflected XSS &#40;un-authenticated&#41;:
  -

http://$domain/owncloud/index.php?redirect_url=1&quot;&gt;&lt;script&gt;alert&#40;&quot;Help
Me")</script><l=" (must not be logged in)

open redirect after login:
  -

http://$domain/owncloud/index.php?redirect_url=http&#37;3a//www.boeserangreife
r.de/

Possible solutions:
- update to OwnCloud 3.0.2

Disclosure Timeline:
2012/02/01 vendor contacted via #owncloud on freenode IRC, got E-Mail
2012/02/01 vendor contacted via E-Mail
2012/02/02 vendor response
2012/04/16 asked vendor for status updates
2012/04/16 vendor status: patched with version 3.0.2
2012/04/18 public disclosure

Credits:
Tobias Glemser ([email protected])
Tele-Consulting security networking training GmbH, Germany
www.tele-consulting.com

Disclaimer:
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore Tele-Consulting shall
not be liable for any direct or indirect damages that might be
caused by using this information.

Related

packetstorm 1
openvas 1
prion 3
cve 3
ubuntucve 3
securityvulns 1
packetstorm
packetstorm
ownCloud 3.0.0 Cross Site Scripting
2012-04-18 00:00:00
openvas
openvas
ownCloud Multiple Input Validation Vulnerabilities
2012-04-19 00:00:00
prion
prion
Cross site scripting
2012-04-20 10:55:00
Open redirect
2012-04-20 10:55:00
Cross site scripting
2012-04-20 10:55:00
cve
cve
CVE-2012-2269
2012-04-20 10:55:00
CVE-2012-2270
2012-04-20 10:55:00
CVE-2012-2398
2012-04-20 10:55:00
ubuntucve
ubuntucve
CVE-2012-2270
2012-04-20 00:00:00
CVE-2012-2269
2012-04-20 00:00:00
CVE-2012-2398
2012-04-20 00:00:00
securityvulns
securityvulns
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2012-04-23 00:00:00
JSON
Related for SECURITYVULNS:DOC:27954
packetstorm1openvas1prion3cve3ubuntucve3securityvulns1