Open supply file sharing software program ownCloud is warning of three critical-severity safety vulnerabilities, together with one that may expose administrator passwords and mail server credentials.
ownCloud is an open-source file sync and sharing resolution designed for people and organizations wishing to handle and share recordsdata by means of a self-hosted platform.
It’s utilized by companies and enterprises, academic institutes, authorities businesses, and privacy-conscious people preferring to take care of management over their knowledge moderately than internet hosting it at third-party cloud storage suppliers. OwnCloud’s website studies 200,000 installs, 600 enterprise prospects, and 200 million customers.
The software program consists of a number of libraries and elements that work collectively to supply a variety of functionalities for the cloud storage platform.
Extreme knowledge breach dangers
The event staff behind the undertaking issued three safety bulletins earlier this week, warning of three completely different flaws in ownCloud’s elements that might severely influence its integrity.
The primary flaw is tracked as CVE-2023-49103 and acquired a most CVSS v3 rating of 10. The flaw can be utilized to steal credentials and configuration data in containerized deployments, impacting all setting variables of the webserver.
Impacting graphapi 0.2.0 by means of 0.3.0, the issue arises from the app’s dependency on a third-party library that exposes PHP setting particulars by means of a URL, exposing ownCloud admin passwords, mail server credentials, and license keys.
The really useful repair is to delete the ‘owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/checks/GetPhpInfo.php’ file, disable the ‘phpinfo’ operate in Docker containers, and alter doubtlessly uncovered secrets and techniques just like the ownCloud admin password, mail server, database credentials, and Object-Retailer/S3 entry keys.
“It is vital to emphasise that merely disabling the graphapi app doesn’t eradicate the vulnerability,” warns the safety bulletin.
“Moreover, phpinfo exposes numerous different doubtlessly delicate configuration particulars that might be exploited by an attacker to assemble details about the system. Subsequently, even when ownCloud will not be operating in a containerized setting, this vulnerability ought to nonetheless be a trigger for concern.”
The second problem, with a CVSS v3 rating of 9.8, impacts ownCloud core library variations 10.6.0 to 10.13.0, and is an authentication bypass drawback.
The flaw makes it potential for attackers to entry, modify, or delete any file with out authentication if the person’s username is understood and so they haven’t configured a signing-key (default setting).
The printed resolution is to disclaim using pre-signed URLs if no signing key’s configured for the proprietor of the recordsdata.
The third and fewer extreme flaw (CVSS v3 rating: 9) is a subdomain validation bypass problem impacting all variations of the oauth2 library under 0.6.1.
Within the oauth2 app, an attacker can enter a specifically crafted redirect URL that bypasses the validation code, permitting redirection of callbacks to a website managed by the attacker.
The really useful mitigation is to harden the validation code within the Oauth2 app. A brief workaround shared within the bulletin is to disable the “Enable Subdomains” possibility.
The three safety flaws described within the bulletins considerably influence the safety and integrity of the ownCloud setting, doubtlessly resulting in publicity of delicate data, stealthy knowledge theft, phishing assaults, and extra.
Safety vulnerabilities in file-sharing platforms have been beneath fixed assault, with ransomware teams, like CLOP, utilizing them in knowledge theft assaults on thousnads of firms worldwide.
On account of this, it is important for ownCloud directors to instantly apply the really useful fixes and carry out the library updates as quickly as potential to mitigate these dangers.