-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
# Multiple XSS vulnerabilities (oC-SA-2013-008)
Web: https://owncloud.org/about/security/advisories/oC-SA-2013-008/
## CVE IDENTIFIERS
- CVE-2013-1822
## AFFECTED SOFTWARE
- ownCloud Server < 4.5.8
## DESCRIPTION
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.8
and all prior versions (except 4.0.x) allow remote attackers to inject
arbitrary web script or HTML via
- the "quota" POST parameter to setquota.php in /core/settings/ajax/
- Commits: 2364c79 (stable45)
- Risk: Low
- Note: Successful exploitation of this stored XSS requires
administrator privileges.
- the group input field to settings.php (CVE-2013-0307)
- Commits: 4cff6df (stable45)
- Risk: Low
- Note: Successful exploitation of this DOM based self XSS requires
group admin privileges.
- the share with input field
- Commits: 7b0a8f4 (stable45)
- Risk: Low
- Note: Successful exploitation of this DOM based self XSS requires
group admin privileges.
## RESOLUTION
Update to ownCloud Server 5.0.0 or 4.5.8
http://download.owncloud.org/community/owncloud-5.0.0.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.8.tar.bz2
---------------------------------------
# Contacts: Bypass of file blacklist (oC-SA-2013-009)
Web: https://owncloud.org/about/security/advisories/oC-SA-2013-009/
## CVE IDENTIFIERS
- CVE-2013-1850
## RISK:
- Critical
## COMMITS:
- stable4: fae5bd3
- stable45: e294a16, 1314e6d
## AFFECTED SOFTWARE
- ownCloud Server < 4.5.8
- ownCloud Server < 4.0.13
## DESCRIPTION
Incomplete blacklist vulnerability in apps/contacts/import.php and
apps/contacts/ajax/uploadimport.php in ownCloud before 4.0.13 and
4.5.8 allows an authenticated remote attacker to upload a .htaccess
file and therefore the execution of arbitrary PHP code in a standard
Apache installation.
Note: Successful exploitation of this vulnerability requires the
calendar application to be enabled (enabled by default) and the data
directory has to be in the webroot.
## RESOLUTION
Update to ownCloud Server 5.0.0, 4.5.8 or 4.0.13
http://download.owncloud.org/community/owncloud-5.0.0.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.8.tar.bz2
http://download.owncloud.org/community/owncloud-4.0.13.tar.bz2
---------------------------------------
# user_migrate: Local file disclosure (oC-SA-2013-010)
Web: https://owncloud.org/about/security/advisories/oC-SA-2013-010/
## CVE IDENTIFIERS
- CVE-2013-1851
## RISK:
- High
## COMMITS:
- stable4: edf7162
- stable45: 7b6a022
## AFFECTED SOFTWARE
- ownCloud Server < 4.5.8
- ownCloud Server < 4.0.13
## DESCRIPTION
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud
before 4.0.13 and 4.5.8 allows an authenticated remote attacker to
import arbitrary files on the server inside his user account.
Note: Successful exploitation of this vulnerability requires the
user_migrate application to be enabled. (disabled by default)
## RESOLUTION
Update to ownCloud Server 5.0.0, 4.5.8 or 4.0.13
http://download.owncloud.org/community/owncloud-5.0.0.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.8.tar.bz2
http://download.owncloud.org/community/owncloud-4.0.13.tar.bz2
--
ownCloud
Your Cloud, Your Data, Your Way!
GPG: 0xEB32B77BA406BE99
-----BEGIN PGP SIGNATURE-----
Version: OpenPGP.js v.1.20121007
Comment: http://openpgpjs.org
wsFcBAEBAgAQBQJRQW+KCRDrMrd7pAa+mQAAD7AP/1n5KCcQv2HFf4iETNfF
ZFUEPQVppStRCQMwDjzhx3n5LwXciYy6Nk+U12tn4IavacsVYREAsvRUqVRc
LEPvaap66F7QWjKm+kIeoLbcjcRss0ShCBpGt7lMpI4ZLMu15mlHTZ+1cKcU
2wRnehR58qxo535B0qmCoBTktOK0eOc3A3XQPWj6Iflvmxj1ZHfDzDTGhORZ
+N5rJIS4lpoS/sFeBiH1N5ZxhZKuGGymjmzFzLkuKOOC6zPu/ZVtHthpsk64
JLFV9c8avNdHwuLdDbtfzPRO8NrginR7IeqNkn2cLtX7sId7ikc+t4F3ubPw
AwF+48rDsVwfda6yCMCHpCw7i0bGtDz/lLsT4vfhUBWJ4ew0ZD1fX2mHunc9
dnKsNqw+f1hoUYAsWq37bAMIj9fM+GKqBaN+OBUDx+lt2PMhrsZHbDohRmXZ
GTSGfwgMXcyOw72/M7icrtW2hEylIL1PHt/ZJqn3YRh8WMlTYTnhKH0lpzEd
curBLzICFs7/qN0fyk1BFYj7NPkKksEpnFAEZx7w5xH+gA5ZanoTXM2J5103
2dm9uvo0lqxt6XoctujH+SN+Cx2tUocO8ahA+kwOiL9QSRphumJ4Va4wZSpX
2R5k9t5yUmB9jI904KYbbRz6P9M+teLFzb5bpRyt2RW09EFDbmQ0I8FkYdY6
90CQ
=9rrE
-----END PGP SIGNATURE-----
↧
ownCloud Security Advisories (2013-008, 2013-009, 2013-010)
↧