Security
Headlines
HeadlinesLatestCVEs

Headline

ownCloud vulnerability can be used to extract admin passwords

A vulnerability in the ownCloud file sharing app could lead to the exposure of sensitive credentials like admin passwords.

Malwarebytes
#vulnerability#web#microsoft#git#php#oauth#auth#docker

ownCloud has warned users about three critical security flaws in its file-sharing software which, if exploited, could reveal sensitive information and modify files. An especially and potentially impactful one is a vulnerability that could lead to disclosure of sensitive credentials and configuration in containerized deployments.

ownCloud is a very widely used open-source project that allows users to host and sync files. ownCloud says on its own website that it has 200 million users, including 600 enterprises.

The vulnerabilities stem from one of the building blocks of the project.

“The graphapi app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo).”

Microsoft’s Graph API (graphapi) is a web API that enables you to access Microsoft Cloud service resources. After you register your app and get authentication tokens for a user or service, you can make requests to the Microsoft Graph API.

A Shodan search shows many thousands of exposed services, especially in Germany and the US.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs of the found vulnerabilities are:

CVE-2023-49105 (CVSS score 9.8 out of 10): An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.

CVE-2023-49104 (CVSS score 9 out of 10): An issue was discovered in ownCloud owncloud/oauth2 before 0.6.1, when Allow Subdomains is enabled. An attacker is able to pass in a crafted redirect-url that bypasses validation, and consequently allows an attacker to redirect callbacks to a Top Level Domain (TLD) controlled by the attacker.

Redirect URLs are a critical part of the OAuth (authentication) flow. After a user successfully authorizes an application, the authorization server will redirect the user back to the application. Because the redirect URL will contain sensitive information, it is critical that the service doesn’t redirect the user to arbitrary locations.

CVE-2023-49103 (CVSS score 10 out of 10): An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When you acess this URL, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. A working Proof of Concept (PoC) for this vulnerability is already available on GitHub

Ransomware operators could have a field day with this vulnerability. As they have shown in the past, they love file-sharing apps almost as much as they love admin passwords. It allows them to roam free in your network and move the stolen data to a location under their control at your expense.

What to do

ownCloud says you should delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. Simply disabling the graphapi app won’t eliminate the vulnerability.

In newer versions, ownCloud has disabled the phpinfo function in the docker-containers, promising to apply various hardenings in future core releases to mitigate similar vulnerabilities.

Then change the following:

  • Your ownCloud admin password
  • The mail server credentials
  • Database credentials
  • Object-Store/S3 access-key

Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.

If you are unable to patch right now you can disable the “Allow Subdomains” option to disable the vulnerability as a workaround for CVE-2023-49104.

As a workaround for CVE-2023-49105, you can configure the signing-key.

Instructions on how to update ownCloud can be found on its website.

Black Friday sale

Save 50% on our Home bundles for a limited time only!

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Related news

CVE-2023-49283: Test code in published microsoft-graph-core package exposes phpinfo()

microsoft-graph-core the Microsoft Graph Library for PHP. The Microsoft Graph Beta PHP SDK published packages which contained test code that enabled the use of the phpInfo() function from any application that could access and execute the file at `vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php`. The phpInfo function exposes system information. The vulnerability affects the GetPhpInfo.php script of the PHP SDK which contains a call to the phpinfo() function. This vulnerability requires a misconfiguration of the server to be present so it can be exploited. For example, making the PHP application’s /vendor directory web accessible. The combination of the vulnerability and the server misconfiguration would allow an attacker to craft an HTTP request that executes the phpinfo() method. The attacker would then be able to get access to system information like configuration, modules, and environment variables and later on use the compromised secrets to access additional data. This pr...

CVE-2023-49282: Test code in published microsoft-graph package exposes phpinfo()

msgraph-sdk-php is the Microsoft Graph Library for PHP. The Microsoft Graph PHP SDK published packages which contained test code that enabled the use of the phpInfo() function from any application that could access and execute the file at vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. The phpInfo function exposes system information. The vulnerability affects the GetPhpInfo.php script of the PHP SDK which contains a call to the phpinfo() function. This vulnerability requires a misconfiguration of the server to be present so it can be exploited. For example, making the PHP application’s /vendor directory web accessible. The combination of the vulnerability and the server misconfiguration would allow an attacker to craft an HTTP request that executes the phpinfo() method. The attacker would then be able to get access to system information like configuration, modules, and environment variables and later on use the compromised secrets to access additional data. This problem has bee...

Patch Now: Attackers Pummel Critical, Easy-to-Exploit OwnCloud Flaw

A vulnerability in the file server and collaboration platform earned a 10 in severity on the CVSS, allowing access to admin passwords, mail server credentials, and license keys.

OwnCloud “graphapi” App Vulnerability Exposes Sensitive Data

By Deeba Ahmed The vulnerability is tracked as CVE-2023-49103 and declared critical with a CVSS v3 Base Score 10. This is a post from HackRead.com Read the original post: OwnCloud “graphapi” App Vulnerability Exposes Sensitive Data

CVE-2023-49105: ownCloud security policies and information

An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.

Malwarebytes: Latest News

“Sad announcement” email leads to tech support scam