The maintainers of open-source file-sharing software ownCloud have warned of three critical security flaws that could be exploited to expose sensitive information and modify files.
A brief description of the vulnerabilities is as follows –
- Exposure of sensitive credentials and configuration in containerized deployments affecting graphapi versions from 0.2.0 to 0.3.0. (CVSS score: 10.0)
- WebDAV Api Authentication Bypass using Pre-Signed URLs affects core versions from 10.6.0 to 10.13.0 (CVSS score: 9.8)
- Subdomain Validation Bypass affecting oauth2 before version 0.6.1 (CVSS score: 9.0)
“The ‘graphapi’ app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo),” the company SAYS in the first error.
“This information includes all environment variables on the web server. In containerized deployments, these environment variables may include sensitive data such as ownCloud admin passwords, mail server credentials, and license keys.”
As a fix, ownCloud recommends deleting the “owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php” file and disabling the ‘phpinfo’ function. It also advises users to change secrets such as ownCloud admin password, mail server and database credentials, and Object-Store/S3 access keys.
the second problem makes it possible to access, modify or delete any file without authentication if the victim’s username is known and the victim has no signing-key configured, which is the default behavior.
Finally, the third mistake relates to a case of improper access control that allows an attacker to “pass a specially crafted redirect-url that bypasses the validation code and thus allows the attacker to attack to redirect callbacks to a TLD controlled by the attacker.”
Besides adding steps to harden the validation code in the oauth2 app, ownCloud suggests that users disable the “Allow Subdomains” option as a workaround.
The disclosure comes as a proof-of-concept (PoC) exploit in the past released for a critical remote code execution vulnerability in the CrushFTP solution (CVE-2023-43177) that can be armed by an unauthenticated attacker to access files, run arbitrary programs on the host, and obtain plain text passwords.
The issue has been addressed by CrushFTP version 10.5.2which was released on August 10, 2023.
“This vulnerability is critical because it does NOT require any authentication,” CrushFTP THE audience in an advisory issued at the time. “This can be done anonymously and steal other users’ sessions and escalate to an administrative user.”