# Multiple XSS vulnerabilities (oC-SA-2013-003)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-003/
## CVE IDENTIFIERS
- CVE-2013-0297, CVE-2013-0307 (4.0 & 4.5)
- CVE-2013-0298 (4.5)
## AFFECTED SOFTWARE
- ownCloud Server < 4.5.7
- ownCloud Server < 4.0.12
## DESCRIPTION
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.6
and 4.0.11 and all prior versions allow remote attackers to inject
arbitrary web script or HTML via
- the "site_name" and "site_url" POST parameters to setsites.php in
/apps/external/ajax/ (CVE-2013-0297
- Commits: e0140a (stable45), 1fbb89a (stable4)
- Risk: Low
- Note: Successful exploitation of this stored XSS requires the
"external" app to be enabled (disabled by default) and administrator
privileges.
- the group input field to settings.php (CVE-2013-0307)
- Commits: e2faa92 (stable45), 57f40b2 (stable4)
- Risk: Low
- Note: Successful exploitation of this DOM based self XSS requires
administrator privileges.
Multiple cross-site scripting (XSS) vulnerability in ownCloud 4.5.6
and all prior versions (except 4.0.x) allow remote attackers to inject
arbitrary web script or HTML via
- the import of a specially crafted iCalendar file via the calendar
application (CVE-2013-0298)
- Commits: 6608da2 (stable45)
- Risk: High
- Note: Successful exploitation of this stored XSS requires the
"calendar" app to be enabled (enabled by default), an attacker may be
able to share this crafted event with other users.
- the "dir" and "file" GET parameter to viewer.php in
/apps/files_pdfviewer/ (CVE-2013-0298)
- Commits: 04cbec7 (stable45)
- Risk: Medium
- Note: Successful exploitation of this reflected XSS requires the
"files_pdfviewer" app to be enabled (enabled by default).
- the "mountpoint" POST parameter to addMountPoint.php in
/apps/files_external/ (CVE-2013-0298)
- Commits: / (stable45)
- Risk: Low
- Note: Successful exploitation of this reflected XSS requires the
"files_external" app to be enabled (disabled by default).
## Credits
The ownCloud Team would like to thank Sabari Selvan
(http://www.ehackingnews.com) for discovering a XSS vulnerability
(CVE-2013-0307).</p>
## RESOLUTION
Update to ownCloud Server 4.5.7 or 4.0.12
http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2
http://mirrors.owncloud.org/releases/owncloud-4.0.12.tar.bz2
---------------------------------------
# Multiple CSRF vulnerabilities (oC-SA-2013-004)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-004/
## CVE IDENTIFIERS
- CVE-2013-0299 (4.0 & 4.5)
- CVE-2013-0300 (4.5)
- CVE-2013-0301 (4.0)
## AFFECTED SOFTWARE
- ownCloud Server < 4.5.7
- ownCloud Server < 4.0.12
## DESCRIPTION
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud
4.5.6 and 4.0.11 and all prior versions before allows remote attackers
to hijack the authentication for users via
- the "lat" and "lng" POST parameters to guesstimezone.php in
/apps/calendar/ajax/settings/ (CVE-2013-0299)
- Commits: 452a626 (stable45), 015ac6a (stable4)
- Risk: Negligible
- Note: Successful exploitation of this CSRF requires the "calendar"
app to be enabled (enabled by default).
- Impact: An attacker may be able to change the timezone of the user.
- the "timezonedetection" POST parameter to timezonedetection.php in
/apps/calendar/ajax/settings/ (CVE-2013-0299)
- Commits: 452a626 (stable45), 97d0cee (stable4)
- Risk: Negligible
- Note: Successful exploitation of this CSRF requires the "calendar"
app to be enabled (enabled by default).
- Impact: An attacker may be able to disable or enable the automatic
timezone detection.
- the "admin_export" POST parameter to settings.php in
/apps/admin_migrate/ (CVE-2013-0299)
- Commits: bc93744 (stable45), 28dc89e (stable4)
- Risk: Moderate
- Note: Successful exploitation of this CSRF requires the
"admin_migrate" app to be enabled (disabled by default).
- Impact: An attacker may be able to import an user account.
- the "operation" POST parameter to export.php in
/apps/user_migrate/ajax/ (CVE-2013-0299)
- Commits: 2de405a (stable45), de9befd (stable4)
- Risk: Moderate
- Note: Successful exploitation of this CSRF requires the
"user_migrate" app to be enabled (disabled by default).
- Impact: An attacker may be able to overwrite files of the logged in user.
- multiple unspecified POST parameters to settings.php in
/apps/user_ldap/ (CVE-2013-0299)
- Commits: 5ec272d (stable45), b966095 (stable4)
- Risk: High
- Note: Successful exploitation of this CSRF requires the
"user_ldap" app to be enabled (disabled by default).
- Impact: An attacker may be able to change the authentication server URL.
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud
4.5.6 and all prior versions (except 4.0.x) allows remote attackers to
hijack the authentication for users via
- the "v" POST parameter to changeview.php in /apps/calendar/ajax/
(CVE-2013-0300)
- Commits: 452a626 (stable45)
- Risk: Negligible
- Note: Successful exploitation of this CSRF requires the "calendar"
app to be enabled (enabled by default).
- Impact: An attacker may be able to change the default view of an user.
- multiple unspecified parameters to addRootCertificate.php,
dropbox.php and google.php in /apps/files_external/ajax/
(CVE-2013-0300)
- Commits: 2e819d6 (stable45)
- Risk: Medium
- Note: Successful exploitation of this CSRF requires the
"files_external" app to be enabled (disabled by default).
- Impact: An attacker may be able to mount arbitrary Google Drive or
Dropbox folders to the internal filesystem.
- multiple unspecified POST parameters to settings.php in
/apps/user_webdavauth/ (CVE-2013-0300)
- Commits: 9282641 (stable45)
- Risk: High
- Note: Successful exploitation of this CSRF requires the
"user_webdavauth" app to be enabled (disabled by default).
- Impact: An attacker may be able to change the authentication server URL.
A cross-site request forgery (CSRF) vulnerability in ownCloud 4.0.11
and all prior versions allows remote attackers to hijack the
authentication for users via
- the "timezone" POST parameter to settimezone.php in
/apps/calendar/ajax/settings/ (CVE-2013-0301)
- Commits: 452a626 (stable45)
- Risk: Negligible
- Note: Successful exploitation of this CSRF requires the "calendar"
app to be enabled (enabled by default).
- Impact: An attacker may be able to change the timezone of an user.
## RESOLUTION
Update to ownCloud Server 4.5.7 or 4.0.12
http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2
http://mirrors.owncloud.org/releases/owncloud-4.0.12.tar.bz2
---------------------------------------
# Information disclosure (oC-SA-2013-005)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-005/
## CVE IDENTIFIER
- CVE-2013-0302
## AFFECTED SOFTWARE
- ownCloud Server < 4.5.7
## RISK
Low
## Commits
- c67261fe (stable45)
## DESCRIPTION
Due to the inclusion of the Amazon SDK testing suite an
unauthenticated attacker is able to gain additional informations about
the server including:
- the PHP version
- the cURL version
- informations wether the following functions/modules are available:
- SimpleXML
- DOM
- SPL
- JSON
- PCRE
- File System Read/Write
- OpenSSL
- Zlib
- APC
- XCache
- Memcache
- Memcached
- PDO
- PDO-SQLite
- SQLite 2
- SQLite 3
- the following PHP settings:
- open_basedir
- safe_mode
- zend.enable_gc
- the server architecture (32bit/64bit)
## RESOLUTION
Update to ownCloud Server 4.5.7
http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2
---------------------------------------
# Multiple code executions (oC-SA-2013-006)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-006/
## CVE IDENTIFIER
- CVE-2013-0303
## AFFECTED SOFTWARE
- ownCloud Server < 4.5.7
- ownCloud Server < 4.0.12
## RISK
Critical
## DESCRIPTION
A code executions vulnerability in ownCloud 4.5.6 and 4.0.11 and all
prior versions allow authenticated remote attackers to execute
arbitrary PHP code via
- unspecified POST parameters to translations.php in /core/ajax/
- Commits: 74e73bc (stable4), ece08cd (stable45)
- Risk: Critical
A code executions vulnerability in ownCloud 4.5.6 and all prior
versions (except ownCloud 4.0.x) allow authenticated remote attackers
to execute arbitrary PHP code via
- unspecified POST parameters to settings.php in /core/
- Commits: 746aa0 (stable45)
- Risk: Critical
## RESOLUTION
Update to ownCloud Server 4.5.7 or 4.0.12
http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2
http://mirrors.owncloud.org/releases/owncloud-4.0.12.tar.bz2
---------------------------------------
# Privilege escalation in the calendar application (oC-SA-2013-007)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-007/
## CVE IDENTIFIER
- CVE-2013-0304
## AFFECTED SOFTWARE
- ownCloud Server < 4.5.7
## RISK
High
## COMMIT
- d4802d8 (stable45)
## DESCRIPTION
Due to not properly checking the ownership of an calendar, an
authenticated attacker is able to download calendars of other users
via the "calid" GET parameter to export.php in /apps/calendar/
Note: Successful exploitation of this CSRF requires the "calendar" app
to be enabled (enabled by default).
## CREDITS
The ownCloud Team would like to thank Romain Severin
(http://www.intrinsec.com/) for discovering this vulnerability.
## RESOLUTION
Update to ownCloud Server 4.5.7
http://mirrors.owncloud.org/releases/owncloud-4.5.7.tar.bz2
--
ownCloud
Your Cloud, Your Data, Your Way!
↧
ownCloud Security Advisories (2013-003, 2013-004, 2013-005, 2013-006, 2013-007)
↧