Bug 10092 - owncloud new security issues fixed in 5.0.6
Summary: owncloud new security issues fixed in 5.0.6
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/552028/
Whiteboard: has_procedure mga3-64-OK mga3-32-ok
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-05-14 18:23 CEST by David Walser
Modified: 2013-05-28 19:46 CEST (History)
3 users (show)

See Also:
Source RPM: owncloud-5.0.6-1.mga3.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-05-14 18:23:25 CEST 
Upstream has issued 9 new security advisories today affecting 5.0.5:
http://openwall.com/lists/oss-security/2013/05/14/8

These issues are fixed in 5.0.6.

Reproducible: 

Steps to Reproduce:
David Walser 2013-05-14 18:23:33 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2013-05-25 00:39:32 CEST 
Updated packages uploaded for Mageia 3 and Cauldron.

Advisory to come later, but please see the URL in Comment 0 for details.

owncloud-5.0.6-1.mga3 is the updated package for testing.

CC: (none) => nicolas.lecureuil
Version: Cauldron => 3
Assignee: nicolas.lecureuil => qa-bugs
Whiteboard: MGA3TOO => (none)

Comment 2 claire robinson 2013-05-25 13:58:52 CEST 
Testing complete mga3 64

Owncloud doesn't restart httpd when it's installed so it is inaccessible until that is done manually which is possibly a bug so create bug 10275.

The update performs a successful update when logged into owncloud at http://localhost/owncloud

Created users, uploaded some files, viewed them, played with the settings, all ok.

Whiteboard: (none) => has_procedure mga3-64-OK

Comment 3 claire robinson 2013-05-25 14:15:24 CEST 
Testing complete mga3 32

Validating

Could sysadmin please push from 3 core/updates_testing to core/updates

SRPM owncloud-5.0.6-1.mga3

Advisory still required

Thanks!

Keywords: (none) => validated_update
Source RPM: owncloud-5.0.5-1.mga3.src.rpm => owncloud-5.0.6-1.mga3.src.rpm
Whiteboard: has_procedure mga3-64-OK => has_procedure mga3-64-OK mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 4 David Walser 2013-05-25 14:38:55 CEST 
Advisory:
========================

Updated owncloud package fixes security vulnerabilities:

ownCloud before 5.0.6 does not neutralize special elements that are
passed to the SQL query in lib/db.php which therefore allows an
authenticated attacker to execute arbitrary SQL commands (CVE-2013-2045).

ownCloud before 5.0.6 and 4.5.11 does not neutralize special elements
that are passed to the SQL query in lib/bookmarks.php which therefore
allows an authenticated attacker to execute arbitrary SQL commands
(CVE-2013-2046).

Multiple directory traversal vulnerabilities in (1)
apps/files_trashbin/index.php via the "dir" GET parameter and (2)
lib/files/view.php via undefined vectors in all ownCloud versions
prior to 5.0.6 and other versions before 4.0.15, allow authenticated
remote attackers to get access to arbitrary local files (CVE-2013-2039,
CVE-2013-2085).

Cross-site scripting (XSS) vulnerabilities in multiple files inside
the media application via multiple unspecified vectors in all ownCloud
versions prior to 5.0.6 and other versions before 4.0.15 allows
authenticated remote attackers to inject arbitrary web script or HTML
(CVE-2013-2040).

Cross-site scripting (XSS) vulnerabilities in (1)
apps/bookmarks/ajax/editBookmark.php via the "tag" GET parameter
(CVE-2013-2041) and in (2) apps/files/js/files.js via the "dir" GET
parameter to apps/files/ajax/newfile.php in ownCloud 5.0.x before 5.0.6
allows authenticated remote attackers to inject arbitrary web script or
HTML (CVE-2013-2041).

Cross-site scripting (XSS) vulnerabilities in (1)
apps/bookmarks/ajax/addBookmark.php via the "url" GET parameter and in
(2) apps/bookmarks/ajax/editBookmark.php via the "url" POST parameter
in ownCloud 5.0.x before 5.0.6 allows authenticated remote attackers
to inject arbitrary web script or HTML (CVE-2013-2042).

Open redirect vulnerability in index.php (aka the Login Page) in
ownCloud before 5.0.6 allows remote attackers to redirect users to
arbitrary web sites and conduct phishing attacks via a URL in the
redirect_url parameter (CVE-2013-2044).

Index.php (aka the login page) contains a form that does not disable
the autocomplete setting for the password parameter, which makes it
easier for local users or physically proximate attackers to obtain the
password from web browsers that support autocomplete (CVE-2013-2047).

Due to not properly checking the ownership of an calendar, an
authenticated attacker is able to download calendars of other users
via the "calendar_id" GET parameter to /apps/calendar/ajax/events.php.
Note: Successful exploitation of this privilege escalation requires
the "calendar" app to be enabled (enabled by default) (CVE-2013-2043).

Due to an insufficient permission check, an authenticated attacker is
able to execute API commands as administrator. Additionally, an
unauthenticated attacker could abuse this flaw as a cross-site request
forgery vulnerability (CVE-2013-2048).

Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows
authenticated remote attackers to execute arbitrary PHP code by
uploading a crafted file and accessing an uploaded PHP file.
Note: Successful exploitation requires that the /data/ directory is
stored inside the webroot and a webserver that interprets .htaccess
files (e.g. Apache) (CVE-2013-2089).

The configuration loader in ownCloud 5.0.x before 5.0.6 includes
private data such as CSRF tokens in a JavaScript file, which allows
remote attackers to obtain sensitive information (CVE-2013-2086).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2039
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2049
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2041
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2042
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2043
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2044
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2045
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2046
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2047
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2048
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2086
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2089
http://owncloud.org/about/security/advisories/oC-SA-2013-019/
http://owncloud.org/about/security/advisories/oC-SA-2013-020/
http://owncloud.org/about/security/advisories/oC-SA-2013-021/
http://owncloud.org/about/security/advisories/oC-SA-2013-022/
http://owncloud.org/about/security/advisories/oC-SA-2013-023/
http://owncloud.org/about/security/advisories/oC-SA-2013-024/
http://owncloud.org/about/security/advisories/oC-SA-2013-025/
http://owncloud.org/about/security/advisories/oC-SA-2013-026/
http://owncloud.org/about/security/advisories/oC-SA-2013-027/
http://mailman.owncloud.org/pipermail/announcements/2013-May/000014.html
http://mailman.owncloud.org/pipermail/announcements/2013-May/000012.html
Comment 5 Thomas Backlund 2013-05-25 21:50:04 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0154

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2013-05-28 19:46:41 CEST

URL: (none) => http://lwn.net/Vulnerabilities/552028/
Note You need to log in before you can comment on or make changes to this bug.