ownCloud 3.0.0 Cross Site Scripting



EKU-ID: 1957 CVE: OSVDB-ID:
Author: expku Published: 2012-04-20 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0

Published: 2012/04/18
Version 1.0

Affected products:
    ownCloud version 3.0.0 (others not tested)
    http://owncloud.org

References:
    TC-SA-2012-01 www.tele-consulting.com/advisories/TC-SA-2012-01.txt
(used for updates)
    CVE-2012-2269 - XSS in ownCloud 3.0.0
    CVE-2012-2270 - Open Redirect in ownCloud 3.0.0
 
Summary:
    "ownCloud gives you easy and universal access to all of your files.
     It also provides a platform to easily view, sync and share your
     contacts, calendars, bookmarks and files across all your devices.
     ownCloud 3 brings loads of new features and hundreds of fixes"

Vulnerable Scripts:
    stored XSS:
     - /apps/contacts/ajax/addcard.php (any input field)
     - /apps/contacts/ajax/addproperty.php (parameter)
     - /apps/contacts/ajax/createaddressbook (name)

    reflected XSS:
     - /files/download.php (file)
     - /files/index.php (name, user, redirect_url)
 
    open redirect after login:
     - Login Page

Examples:
    stored XSS:
      - add a new contact and enter <script>alert("Help Me")</script> in
any field, save the contact
      - add a new date in calendar with name <script>alert("Help
Me")</script>"
     
    reflected XSS (un-authenticated):
      -
http://$domain/owncloud/index.php?redirect_url=1"><script>alert("Help
Me")</script><l=" (must not be logged in)

    open redirect after login:
      -
http://$domain/owncloud/index.php?redirect_url=http%3a//www.boeserangreife
r.de/

Possible solutions:
    - update to OwnCloud 3.0.2

Disclosure Timeline:
    2012/02/01 vendor contacted via #owncloud on freenode IRC, got E-Mail
    2012/02/01 vendor contacted via E-Mail
    2012/02/02 vendor response
    2012/04/16 asked vendor for status updates
    2012/04/16 vendor status: patched with version 3.0.2
    2012/04/18 public disclosure