The maintainers of the open-source file-sharing software program ownCloud have warned of three vital security flaws that may very well be exploited to reveal delicate data and modify information.
A quick description of the vulnerabilities is as follows –
- Disclosure of delicate credentials and configuration in containerized deployments impacting graphapi variations from 0.2.0 to 0.3.0. (CVSS rating: 10.0)
- WebDAV Api Authentication Bypass utilizing Pre-Signed URLs impacting core variations from 10.6.0 to 10.13.0 (CVSS rating: 9.8)
- Subdomain Validation Bypass impacting oauth2 previous to model 0.6.1 (CVSS rating: 9.0)
“The ‘graphapi’ app depends on a third-party library that gives a URL. When this URL is accessed, it reveals the configuration particulars of the PHP setting (phpinfo),” the corporate mentioned of the primary flaw.
“This data contains all of the setting variables of the net server. In containerized deployments, these setting variables might embody delicate knowledge such because the ownCloud admin password, mail server credentials, and license key.”
As a repair, ownCloud is recommending to delete the “owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/checks/GetPhpInfo.php” file and disable the ‘phpinfo’ operate. It’s also advising customers to vary secrets and techniques just like the ownCloud admin password, mail server and database credentials, and Object-Retailer/S3 entry keys.
The second drawback makes it doable to entry, modify or delete any file sans authentication if the username of the sufferer is thought and the sufferer has no signing-key configured, which is the default habits.
Lastly, the third flaw pertains to a case of improper entry management that enables an attacker to “cross in a specifically crafted redirect-url which bypasses the validation code and thus permits the attacker to redirect callbacks to a TLD managed by the attacker.”
Apart from including hardening measures to the validation code within the oauth2 app, ownCloud has advised that customers disable the “Enable Subdomains” possibility as a workaround.
The disclosure comes as a proof-of-concept (PoC) exploit has been launched for a vital distant code execution vulnerability within the CrushFTP resolution (CVE-2023-43177) that may very well be weaponized by an unauthenticated attacker to entry information, run arbitrary applications on the host, and purchase plain-text passwords.
The problem has been addressed in CrushFTP model 10.5.2, which was launched on August 10, 2023.
“This vulnerability is vital as a result of it does NOT require any authentication,” CrushFTP famous in an advisory launched on the time. “It may be accomplished anonymously and steal the session of different customers and escalate to an administrator person.”
