Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <1344590752.31390.13.camel@gummipuppe>
Date: Fri, 10 Aug 2012 11:25:52 +0200
From: Bruno Kleinert <fuddl@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Possible data loss or data modification in ownCloud

Hi there,

I stumbled over a security bug in owncloud 4.0.5 and 4.0.4 as it is
packaged in Debian sid/unstable and wheezy/testing, with the result of
data loss or modification, depending on the configuration of owncloud.
Though I tested and reproduced this flaw only with the Debian packages,
an ownCloud developer confirmed that this bug is not Debian-specific.

It is possible for regular users of owncloud to overwrite files that are
shared read-only by another owncloud user via WebDAV.

To reproduce I did the following steps on Debian sid/unstable and also
wheezy/testing:
     1. Install owncloud packages
     2. Open http://localhost/owncloud and finish installation by
        creating an admin user
     3. Log in as admin user and create two regular users user1 and
        user2
     4. Log into owncloud as user1 and create an empty text file
     5. Share this file to user2 and leave the "can edit" checkbox
        unchecked as it is by default
     6. Log in via WebDAV as user2 (I used nautilus of GNOME 3)
     7. Navigate to the empty file, open, edit and save it
     8. user1's once empty file now contains the changes from user2

If version control is activated in ownCloud, user1 could revert the file
to its previous state, but if it's *not* activated, user1's data is
lost.

I contacted an ownCloud developer who sent me a patch, that was applied
to their development branch to address this issue. I had to adjust it a
little to make it apply against ownCloud 4.0.5 in Debian sid/unstable.
The patch should now be included in the latest Debian sid/unstable
owncloud 4.0.5debian2-2 package. I attach the adjusted patch to this
mail.

Best regards - Fuddl

View attachment "fix-webdav-security.diff" of type "text/x-patch" (1826 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.