Open supply file sharing software program ownCloud is warning of three critical-severity security vulnerabilities, together with one that may expose administrator passwords and mail server credentials.
ownCloud is an open-source file sync and sharing answer designed for people and organizations wishing to handle and share information by means of a self-hosted platform.
It’s utilized by companies and enterprises, academic institutes, authorities companies, and privacy-conscious people preferring to keep up management over their knowledge reasonably than internet hosting it at third-party cloud storage suppliers. OwnCloud’s website reviews 200,000 installs, 600 enterprise prospects, and 200 million customers.
The software program consists of a number of libraries and parts that work collectively to supply a spread of functionalities for the cloud storage platform.
Extreme data breach dangers
The event workforce behind the venture issued three security bulletins earlier this week, warning of three totally different flaws in ownCloud’s parts that would severely influence its integrity.
The primary flaw is tracked as CVE-2023-49103 and obtained a most CVSS v3 rating of 10. The flaw can be utilized to steal credentials and configuration data in containerized deployments, impacting all atmosphere variables of the webserver.
Impacting graphapi 0.2.0 by means of 0.3.0, the issue arises from the app’s dependency on a third-party library that exposes PHP atmosphere particulars by means of a URL, exposing ownCloud admin passwords, mail server credentials, and license keys.
The really useful repair is to delete the ‘owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/exams/GetPhpInfo.php’ file, disable the ‘phpinfo’ perform in Docker containers, and alter doubtlessly uncovered secrets and techniques just like the ownCloud admin password, mail server, database credentials, and Object-Retailer/S3 entry keys.
“It is necessary to emphasise that merely disabling the graphapi app doesn’t get rid of the vulnerability,” warns the security bulletin.
“Moreover, phpinfo exposes numerous different doubtlessly delicate configuration particulars that could possibly be exploited by an attacker to collect details about the system. Subsequently, even when ownCloud just isn’t operating in a containerized atmosphere, this vulnerability ought to nonetheless be a trigger for concern.”
The second situation, with a CVSS v3 rating of 9.8, impacts ownCloud core library variations 10.6.0 to 10.13.0, and is an authentication bypass drawback.
The flaw makes it attainable for attackers to entry, modify, or delete any file with out authentication if the consumer’s username is understood and so they haven’t configured a signing-key (default setting).
The printed answer is to disclaim using pre-signed URLs if no signing secret is configured for the proprietor of the information.
The third and fewer extreme flaw (CVSS v3 rating: 9) is a subdomain validation bypass situation impacting all variations of the oauth2 library beneath 0.6.1.
Within the oauth2 app, an attacker can enter a specifically crafted redirect URL that bypasses the validation code, permitting redirection of callbacks to a site managed by the attacker.
The really useful mitigation is to harden the validation code within the Oauth2 app. A short lived workaround shared within the bulletin is to disable the “Enable Subdomains” possibility.
The three security flaws described within the bulletins considerably influence the security and integrity of the ownCloud atmosphere, doubtlessly resulting in publicity of delicate data, stealthy knowledge theft, phishing assaults, and extra.
Safety vulnerabilities in file-sharing platforms have been below fixed assault, with ransomware teams, like CLOP, utilizing them in knowledge theft assaults on thousnads of firms worldwide.
As a result of this, it’s vital for ownCloud directors to right away apply the really useful fixes and carry out the library updates as quickly as attainable to mitigate these dangers.
