Decoding ownCloud’s Vulnerabilities: The Hidden Flaws of API Trust
ownCloud is a file platform that allows the collaboration, storage and sharing of files. Recently, a series of vulnerabilities (listed below) were announced. These vulnerabilities enabled unauthenticated users to remotely access sensitive information, tamper with redirect-uri oAuth parameter and access/tamper with files in the system.
When building apps with third party APIs it's important to ensure that these APIs have the same security standards as would be expected from a first party APIs or to treat the third-party APIs as untrusted user input. This vulnerability was recognized in the OWASP API Top 10 under 'Unsafe Consumption of APIs'
ownCloud/graphapi relies on a third party library (GetPhpInfo.php) to retrieve information regarding the PHP server configuration through environment variables. This URL when sent by an unauthenticated user would reveal sensitive information such as owncloud admin credentials and license keys. This URL could also be used as a reconnaissance tool to gain valuable information about the system. This vulnerability affected ownCloud/graphapi versions 0.2.x before 0.2.1 and 0.3.x before 0.3.1.
The second CVE allowed attackers to tamper with the redirect-uri parameter when sending an oAuth authorization request by enabling the option to allow subdomains. This would return the access token generated by the oAuth authorization request to a domain controlled by the attacker. This vulnerability affected ownCloud/oauth2 versions before 0.6.1.
The third CVE allows an unauthenticated remote attacker to tamper with resources of a user provided it has access to their username and the user has not configured a signing key. This vulnerability affected ownCloud/core versions before 10.13.1.
The aforementioned vulnerabilities allowed malicious actors to view admin credentials, generate oAuth tokens and tamper with user resources. ownCloud has patched all their servers fixing the issues. We highly recommend upgrading your ownCloud instances to mitigate the risk.
At Traceable, we are continuously monitoring for the latest CVEs and threats to ensure that our customers are protected against those vulnerabilities or attacks. When the vulnerability was announced, we rapidly developed and deployed appropriate protection mechanisms. As of 1st October, 2024, all Traceable customers are protected against these vulnerabilities. We continue to look for blocked exploitation attempts via our OmniTrace Engine, and continue to reach out to our customers who have been targeted.
The Inside Trace
Subscribe for expert insights on application security.
