The maintainers of the open-source file-sharing software program ownCloud have warned of three important safety flaws that could possibly be exploited to reveal delicate info and modify information.
A quick description of the vulnerabilities is as follows –
- Disclosure of delicate credentials and configuration in containerized deployments impacting graphapi variations from 0.2.0 to 0.3.0. (CVSS rating: 10.0)
- WebDAV Api Authentication Bypass utilizing Pre-Signed URLs impacting core variations from 10.6.0 to 10.13.0 (CVSS rating: 9.8)
- Subdomain Validation Bypass impacting oauth2 previous to model 0.6.1 (CVSS rating: 9.0)
“The ‘graphapi’ app depends on a third-party library that gives a URL. When this URL is accessed, it reveals the configuration particulars of the PHP setting (phpinfo),” the corporate stated of the primary flaw.
“This info contains all of the setting variables of the online server. In containerized deployments, these setting variables might embody delicate knowledge such because the ownCloud admin password, mail server credentials, and license key.”
As a repair, ownCloud is recommending to delete the “owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/checks/GetPhpInfo.php” file and disable the ‘phpinfo’ perform. Additionally it is advising customers to alter secrets and techniques just like the ownCloud admin password, mail server and database credentials, and Object-Retailer/S3 entry keys.
The second drawback makes it potential to entry, modify or delete any file sans authentication if the username of the sufferer is thought and the sufferer has no signing-key configured, which is the default conduct.
Lastly, the third flaw pertains to a case of improper entry management that permits an attacker to “go in a specifically crafted redirect-url which bypasses the validation code and thus permits the attacker to redirect callbacks to a TLD managed by the attacker.”
In addition to including hardening measures to the validation code within the oauth2 app, ownCloud has urged that customers disable the “Enable Subdomains” choice as a workaround.
The disclosure comes as a proof-of-concept (PoC) exploit has been launched for a important distant code execution vulnerability within the CrushFTP answer (CVE-2023-43177) that could possibly be weaponized by an unauthenticated attacker to entry information, run arbitrary applications on the host, and purchase plain-text passwords.
The problem has been addressed in CrushFTP model 10.5.2, which was launched on August 10, 2023.
“This vulnerability is important as a result of it does NOT require any authentication,” CrushFTP famous in an advisory launched on the time. “It may be executed anonymously and steal the session of different customers and escalate to an administrator consumer.”
