November 24, 2023 at 11:30PM
The open-source file-sharing software ownCloud has warned users about three critical security flaws that could expose sensitive information and allow for file modification. The vulnerabilities involve disclosure of credentials and configuration, authentication bypass, and subdomain validation bypass. The company recommends specific fixes for each flaw. Additionally, a critical remote code execution vulnerability in CrushFTP has been discovered and addressed in a recent release.
Meeting Summary:
Date: November 25, 2023
Topic: Newsroom Data Security / Vulnerability
During the meeting, it was discussed that the open-source file-sharing software, ownCloud, has identified three critical security flaws. The vulnerabilities are as follows:
1. Disclosure of sensitive credentials and configuration in containerized deployments (graphapi versions 0.2.0 to 0.3.0)
– Risk Level (CVSS score): 10.0
– This flaw allows the disclosure of PHP environment configuration details, including sensitive data such as admin passwords, mail server credentials, and license keys.
– OwnCloud recommends deleting the “owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php” file and disabling the ‘phpinfo’ function. Additionally, users are advised to change admin passwords, mail server and database credentials, and Object-Store/S3 access keys.
2. WebDAV Api Authentication Bypass using Pre-Signed URLs (core versions 10.6.0 to 10.13.0)
– Risk Level (CVSS score): 9.8
– With this vulnerability, it is possible to access, modify, or delete files without authentication if the username of the victim is known and the victim has no signing-key configured (default behavior).
3. Subdomain Validation Bypass (oauth2 prior to version 0.6.1)
– Risk Level (CVSS score): 9.0
– This flaw allows for improper access control, enabling an attacker to redirect callbacks to a top-level domain (TLD) controlled by the attacker.
– OwnCloud suggests adding hardening measures to the validation code in the oauth2 app and recommends users to disable the “Allow Subdomains” option as a workaround.
Additionally, it was noted that a Proof-of-Concept (PoC) exploit has been released for a critical remote code execution vulnerability in the CrushFTP solution (CVE-2023-43177). The vulnerability allows an unauthenticated attacker to access files, run arbitrary programs on the host, and acquire plain-text passwords. This vulnerability has been addressed in CrushFTP version 10.5.2, released on August 10, 2023. Users are advised to update to this version to mitigate the risk.
For more exclusive content, you can follow us on Twitter and LinkedIn.