Admin passwords exposed due to critical bug in ownCloud file sharing app

Open-source file sharing software ownCloud recently issued a warning about three critical security vulnerabilities, with one posing a significant threat by potentially exposing administrator passwords and mail server credentials.

ownCloud, a popular solution for file synchronization and sharing, caters to a wide range of users including businesses, educational institutions, government agencies, and those prioritizing data privacy. It allows users to manage and share files through a self-hosted platform, boasting 200,000 installations, 600 enterprise customers, and a user base of 200 million.

The software comprises various libraries and components that collectively offer diverse functionalities for cloud storage. However, recent security bulletins from the ownCloud team have highlighted three critical flaws that could jeopardize the system’s integrity.

The most severe of these, identified as CVE-2023-49103 and rated with a maximum CVSS v3 score of 10, could lead to credential theft and configuration leaks in containerized deployments, impacting all webserver environment variables. This vulnerability stems from a dependency on a third-party library that inadvertently exposes PHP environment details via a URL. As a result, sensitive information such as ownCloud admin passwords, mail server credentials, and license keys could be compromised.

The recommended course of action involves deleting a specific file ('owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php'), disabling the 'phpinfo' function in Docker containers, and changing all potentially exposed secrets.

The second issue, rated at a CVSS v3 score of 9.8, affects ownCloud core library versions 10.6.0 to 10.13.0. This authentication bypass flaw allows unauthorized access, modification, or deletion of any file if the user’s username is known and no signing-key is configured (the default setting).

To counter this, the developers suggest denying the use of pre-signed URLs if no signing key is set for the file owner.

The third vulnerability, with a CVSS v3 score of 9, pertains to a subdomain validation bypass in all versions of the oauth2 library below 0.6.1. This flaw enables attackers to redirect callbacks to a domain under their control by exploiting the Oauth2 app's validation code.

Administrators are advised to update the validation code in the Oauth2 app, with an interim solution being to disable the "Allow Subdomains" option.

Given the significant risks posed by these vulnerabilities, including potential data exposure, phishing attacks, and other security breaches, it’s crucial for ownCloud administrators to promptly implement the suggested fixes and update their libraries. This urgency is underscored by the frequent targeting of file-sharing platforms by ransomware groups like CLOP, who exploit such vulnerabilities to attack thousands of companies globally.