Bug 1273004 (CVE-2015-4716, CVE-2015-4717, CVE-2015-4718, CVE-2015-5953, CVE-2015-5954, CVE-2015-7699) - CVE-2015-4717 CVE-2015-4718 CVE-2015-5953 CVE-2015-5954 CVE-2015-7699 CVE-2015-4716 owncloud: Multiple vulnerabilities fixed
Summary: CVE-2015-4717 CVE-2015-4718 CVE-2015-5953 CVE-2015-5954 CVE-2015-7699 CVE-201...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2015-4716, CVE-2015-4717, CVE-2015-4718, CVE-2015-5953, CVE-2015-5954, CVE-2015-7699
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1273005 1273006
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-19 12:02 UTC by Adam Mariš
Modified: 2019-09-29 13:38 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-10-19 18:05:24 UTC
Embargoed:


Attachments (Terms of Use)

Description Adam Mariš 2015-10-19 12:02:08 UTC
Multiple vulnerabilities appeared in owncloud:

------------------------------------------------

CVE-2015-4717:

The sanitization component for filenames was vulnerable to DoS when parsing specially crafted file names passed via specific endpoints. Effectively this lead to a endless loop filling the log file until the system is not anymore responsive. This was caused by the PHP behaviour of allowing to cast $_GET values to an array.

Affects: owncloud < 6.0.8, owncloud < 7.0.6, owncloud < 8.0.4

Upstream patch:

https://github.com/owncloud/core/commit/5fa749cd9656ca6eab30bac0ef4e7625b8a8be2e

Upstream advisory:

https://owncloud.org/security/advisory/?id=oc-sa-2015-007

------------------------------------------------

CVE-2015-4718:

The external SMB storage of ownCloud was not properly neutralizing all special elements which allows an adversary to execute arbitrary SMB commands. This was caused by improperly sanitizing the ; character which is interpreted as command separator by smbclient (the used software to connect to SMB shared by ownCloud). Effectively this allows an attacker to gain access to any file on the system or overwrite it, finally leading to a PHP code execution in the case of ownCloud’s config file.

Affects: owncloud < 6.0.8, owncloud < 7.0.6, owncloud < 8.0.4

Upstream patch:

https://github.com/owncloud/core/commit/200e9d949783efbd57f39acedebc03924c1dfff4

Upstream advisory:

https://owncloud.org/security/advisory/?id=oc-sa-2015-008

------------------------------------------------

CVE-2015-5953:

Due to not sanitising all user provided input, the "activity" application shipped with the mentioned ownCloud versions is vulnerable to stored cross-site scripting attacks. The "activity" application is enabled by default in the ownCloud Community Edition and Enterprise Edition. Successful exploitation requires that the adversary is able to create files containing the " character. This character is forbidden by default in any current ownCloud version except 8.1.0 RC1, thus an actual exploitation requires that the user has mounted an external storage within ownCloud where a user can create files with such characters. Alternatively an adversary may discover a way to circumvent the input validation. (ownCloud is not aware of a bypass of to the input validation) – Furthermore the attacker must be able to share a folder containing the files with malicious filename with the victim. Since ownCloud employs a strict Content-Security-Policy that forbids inline script execution. Thus this bug is unlikely to be exploitable on recent browsers that support Content-Security-Policy. (Firefox >= 23, Chrome >= 25, Safari >= 7)

Affects: owncloud < 7.0.5, owncloud < 8.0.4

Upstream advisory:

https://owncloud.org/security/advisory/?id=oc-sa-2015-010

------------------------------------------------

CVE-2015-5954:

Due to a common incorrect usage of the getPath function of the ownCloud virtual filesystem multiple security issues occurred. Especially the function may return null in case the specified file does not exist anymore. When passing the result of getPath in combination with null to functions that setup a virtual chroot or other security relevant limitations PHP would typecast the return value to an empty string and thus effectively bypassing the internal security functions of ownCloud. getPath with a return type of null is a common occurrence in case a folder has been shared publicly and the parent item has been deleted later from the database. Due to missing foreign keys the share is still considered valid and will finally resolve to the users' root directory. In such cases an adversary with knowledge of the sharing link to a deleted item may be able to access all files of the user and not only the original shared directory.

Affects: owncloud < 7.0.7, owncloud < 8.0.5, owncloud < 6.0.9

Upstream advisory:

https://owncloud.org/security/advisory/?id=oc-sa-2015-011

------------------------------------------------

CVE-2015-7699:

A user may instantiate arbitrary ownCloud classes due to a lack of a proper check of the mount point options provided by a user via the web front end. These may include constructor arguments and could potentially lead to a remote code execution.

Affects: owncloud < 8.1.2, owncloud < 8.0.7, owncloud < 7.0.9

Upstream patches:

https://github.com/owncloud/core/commit/a1706f61aaf822aeba4ea9e84b53c5cea984f8e4
https://github.com/owncloud/core/commit/595381b9bd5676492ff8957de0590982ed1864a4
https://github.com/owncloud/core/commit/b05e178bbf884b120d1106e6a28f35aa50d6d06f

Upstream advisory:

https://owncloud.org/security/advisory/?id=oc-sa-2015-018

Comment 1 Adam Mariš 2015-10-19 12:05:31 UTC
Created owncloud tracking bugs for this issue:

Affects: fedora-all [bug 1273005]
Affects: epel-all [bug 1273006]

Comment 2 Martin Prpič 2015-10-19 12:35:23 UTC
External References CVE-2015-4717:

https://owncloud.org/security/advisory/?id=oc-sa-2015-007

External References CVE-2015-4718:

https://owncloud.org/security/advisory/?id=oc-sa-2015-008

External References CVE-2015-5953:

https://owncloud.org/security/advisory/?id=oc-sa-2015-010

External References CVE-2015-5954:

https://owncloud.org/security/advisory/?id=oc-sa-2015-011

External References CVE-2015-7699:

https://owncloud.org/security/advisory/?id=oc-sa-2015-018

Comment 3 Adam Williamson 2015-10-19 18:05:24 UTC
ownCloud 8.0.8 is already in stable for all Fedora/EPEL releases except EL 6. ownCloud 7.0.10 is already in stable for EL 7. Thus none of this affects us and you're just wasting my time. Please be more careful in future.

Comment 4 Martin Prpič 2015-10-20 09:16:09 UTC
CVE-2015-4716:

Due to an improper control of the filename for a require_once() statement in the routing component a limited local file inclusion vulnerability is existent in all below mentioned ownCloud versions when running on the MS Windows Platform.

Depending on the ownCloud configuration and the authentication state of a remote attacker this vulnerability may have different impact. Specifically:

* An unauthenticated remote attacker is able to reinstall the instance in case he is able to connect to a database or the SQLite driver is installed. This will overwrite the existing configuration and existing users will not be able to login anymore. This attack is very likely to be noticed, however an attacker is granted administrative access to the ownCloud instance. If a backup of the configuration file is accessible for the web server user the attacker might restore it after a successful exploitation to cover the attack

* An unauthenticated remote attacker is able to execute arbitrary PHP code if he is able to upload files using the public upload functionality and he can guess the full path of the folder.

* An authenticated remote attacker is able to execute arbitrary PHP code if the /data/ directory is below the ownCloud root. The directory can be moved using the datadirectory configuration in config/config.php.

External References CVE-2015-4716:

https://owncloud.org/security/advisory/?id=oc-sa-2015-006


Note You need to log in before you can comment on or make changes to this bug.