Add oC-SA-2015-011 - oC-SA-2015-013
This commit is contained in:
Lukas Reschke
Родитель
4de9fbd40e
Коммит
05e96f94be
|
|
@ -1 +1,2 @@
|
|||
generator/out/
|
||||
generator/out/
|
||||
.DS_Store
|
||||
|
|
@ -24,6 +24,7 @@ date_default_timezone_set('Europe/Zurich');
|
|||
$components = [
|
||||
'server',
|
||||
'desktop',
|
||||
'mobile',
|
||||
];
|
||||
$advisorySideBar = '';
|
||||
|
||||
|
|
@ -95,7 +96,14 @@ foreach($components as $component) {
|
|||
$company = isset($acknowledgment['Company']) ? $acknowledgment['Company'] : '';
|
||||
$mail = isset($acknowledgment['Mail']) ? $acknowledgment['Mail'] : '';
|
||||
$reason = isset($acknowledgment['Reason']) ? $acknowledgment['Reason']: '';
|
||||
$acknowledgments .= '<li>'.$acknowledgment['Name'].' - '.$company.' ('.$mail.') - '.$reason.'</li>';
|
||||
$acknowledgments .= '<li>'.$acknowledgment['Name'];
|
||||
if($company !== '') {
|
||||
$acknowledgments .= ' - '.$company;
|
||||
}
|
||||
if($mail !== '') {
|
||||
$acknowledgments .= ' ('.$mail.')';
|
||||
}
|
||||
$acknowledgments .= ' - '.$reason.'</li>';
|
||||
}
|
||||
}
|
||||
$content = str_replace('~~ACKNOWLEDGMENTS~~', $acknowledgments, $content);
|
||||
|
|
@ -121,7 +129,7 @@ foreach($components as $component) {
|
|||
|
||||
// Create sidebar with bugs from the latest version
|
||||
foreach($componentBugs as $version => $bug) {
|
||||
$advisorySideBar .= '<p>ownCloud ' . ucfirst($component) . ' ' . $version .'</p>';
|
||||
$advisorySideBar .= '<p>ownCloud ' . $component . ' ' . $version .'</p>';
|
||||
foreach($bug as $key => $title) {
|
||||
$advisorySideBar .= '<a href="/security/advisory?id='.$key.'">'.$title.'</a><br/>';
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,32 @@
|
|||
{
|
||||
"Title":"Improper validation of certificates within the iOS application",
|
||||
"Timestamp": 1438606571,
|
||||
"Type":"SSL related problem",
|
||||
"Risk": 3,
|
||||
"CVSS2": {
|
||||
"score": 7.8,
|
||||
"vector": "AV:A/AC:L/Au:N/C:C/I:C/A:N"
|
||||
},
|
||||
"CWE": {
|
||||
"id": 297,
|
||||
"name": "Improper Validation of Certificate with Host Mismatch"
|
||||
},
|
||||
"Affected":[
|
||||
{
|
||||
"Version":"iOS 3.4.4",
|
||||
"CVE":"CVE-2015-3996 (Note: This is the upstream CVE for the responsible AFNetworking issue)",
|
||||
"Operator":"<"
|
||||
}
|
||||
],
|
||||
"Description": "<p>The <a href=\"https://github.com/owncloud/ios-library\">ownCloud iOS Library</a> was vulnerable against a remotely exploitable certification problem until version 1.1.2. The vulnerable library version is used by the official ownCloud iOS client until version TODO.</p><p>Specifically it has been discovered that the used networking library (<a href=\"https://github.com/AFNetworking/AFNetworking/\">AFNetworking</a>) is per default not ensuring whether the host-specific data (i.e. the Common Name (\"CN\") of the certificate) is actually associated with the connected remote host.</p><p>This effectively allows MITM (Man-in-the-Middle) attacks, allowing adversaries in such a position to intercept the traffic of the application using the ownCloud iOS Library.</p><p>ownCloud highly advises users to update affected clients as soon as possible to ensure data integrity and confidentiality. Third-party developers using the ownCloud iOS Library are encouraged to update the library and provide users with updated client versions.</p>",
|
||||
"ActionTaken": "<p>The vulnerable library has been updated.</p>",
|
||||
"Acknowledgment":[
|
||||
{
|
||||
"Name":"Lukas Reschke",
|
||||
"Mail":"lukas@owncloud.com",
|
||||
"Company":"ownCloud Inc.",
|
||||
"Reason":"Vulnerability discovery and disclosure.",
|
||||
"HoF": true
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
{
|
||||
"Title":"Credentials potentially leaked to other configured ownCloud instance",
|
||||
"Timestamp": 1438606571,
|
||||
"Type":"Data mixup",
|
||||
"Risk": 1,
|
||||
"CVSS2": {
|
||||
"score": 2.6,
|
||||
"vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"
|
||||
},
|
||||
"CWE": {
|
||||
"id": 201,
|
||||
"name": "Information Exposure Through Sent Data"
|
||||
},
|
||||
"Affected":[
|
||||
{
|
||||
"Version":"iOS 3.4.4",
|
||||
"CVE":"CVE assignment pending",
|
||||
"Operator":"<"
|
||||
}
|
||||
],
|
||||
"Description": "<p>A bug in the ownCloud iOS application below version 3.4.4 may leak credentials as well as cookies used for authentication purposes to other configured ownCloud instances.</p><p>Specifically, the ownCloud iOS application allows users to connect to multiple ownCloud instances offering an easy way to switch between different accounts on different instances. An user may for example configure their hosted ownCloud by a third-party provider as well as their company ownCloud instance.</p><p>In some cases when switching the accounts in the iOS applications the application is not properly handling the state switch and will continue to send the previous authentication headers to the other instance. Thus a malicious administrator on another configured ownCloud instance may gain access to the user' credentials on the other instance.</p>",
|
||||
"ActionTaken": "<p>The iOS application is now properly handling credentials as well as cookies and will send these only to the correct domains.</p>",
|
||||
"Acknowledgment":[
|
||||
{
|
||||
"Name":"Lukas Reschke",
|
||||
"Mail":"lukas@owncloud.com",
|
||||
"Company":"ownCloud Inc.",
|
||||
"Reason":"Vulnerability discovery and disclosure.",
|
||||
"HoF": true
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
{
|
||||
"Title":"Stored XSS in \"activity\" application",
|
||||
"Timestamp": 1438606571,
|
||||
"Type":"Stored XSS",
|
||||
"Risk": 1,
|
||||
"CVSS2": {
|
||||
"score": 3.5,
|
||||
"vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"
|
||||
},
|
||||
"CWE": {
|
||||
"id": 97,
|
||||
"name": "Improper Neutralization of Input During Web Page Generation"
|
||||
},
|
||||
"Affected":[
|
||||
{
|
||||
"Version":"7.0.5",
|
||||
"CVE":"CVE assignment pending",
|
||||
"Operator":"<"
|
||||
},
|
||||
{
|
||||
"Version":"8.0.4",
|
||||
"CVE":"CVE assignment pending",
|
||||
"Operator":"<"
|
||||
}
|
||||
],
|
||||
"Description": "<p>Due to not sanitising all user provided input, the "activity" application shipped with the mentioned ownCloud versions is vulnerable to stored cross-site scripting attacks. The "activity" application is enabled by default in the ownCloud Community Edition and Enterprise Edition.</p><p>Successful exploitation requires that the adversary is able to create files containing the <code>"</code> character. This character is forbidden by default in any current ownCloud version except 8.1.0 RC1, thus an actual exploitation requires that the user has mounted an external storage within ownCloud where a user can create files with such characters. Alternatively an adversary may discover a way to circumvent the input validation. (ownCloud is not aware of a bypass of to the input validation) – Furthermore the attacker must be able to share a folder containing the files with malicious filename with the victim.</p><p>Since ownCloud employs a strict Content-Security-Policy that forbids inline script execution. Thus this bug is unlikely to be exploitable on recent browsers that support Content-Security-Policy. (Firefox >= 23, Chrome >= 25, Safari >= 7)</p>",
|
||||
"ActionTaken": "<p>The output is now properly sanitized.</p>",
|
||||
"Acknowledgment":[
|
||||
{
|
||||
"Name":"Lukas Reschke",
|
||||
"Mail":"lukas@owncloud.com",
|
||||
"Company":"ownCloud Inc.",
|
||||
"Reason":"Vulnerability discovery and disclosure.",
|
||||
"HoF": true
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
{
|
||||
"Title":"Disclosure of users files when deleting parent folders of shared files",
|
||||
"Timestamp": 1438606571,
|
||||
"Type":"File Disclosure",
|
||||
"Risk": 2,
|
||||
"CVSS2": {
|
||||
"score": 3.5,
|
||||
"vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"
|
||||
},
|
||||
"CWE": {
|
||||
"id": 252,
|
||||
"name": "Unchecked Return Value"
|
||||
},
|
||||
"Affected":[
|
||||
{
|
||||
"Version":"7.0.5",
|
||||
"CVE":"CVE assignment pending",
|
||||
"Operator":"<"
|
||||
},
|
||||
{
|
||||
"Version":"8.0.4",
|
||||
"CVE":"CVE assignment pending",
|
||||
"Operator":"<"
|
||||
},
|
||||
{
|
||||
"Version":"6.0.9",
|
||||
"CVE":"CVE assignment pending",
|
||||
"Operator":"<"
|
||||
}
|
||||
],
|
||||
"Description": "<p>Due to a common incorrect usage of the <code>getPath</code> function of the ownCloud virtual filesystem multiple security issues occurred. Especially the function may return <code>null</code> in case the specified file does not exist anymore. When passing the result of <code>getPath</code> in combination with <code>null</code> to functions that setup a virtual chroot or other security relevant limitations PHP would typecast the return value to an empty string and thus effectively bypassing the internal security functions of ownCloud.</p><p><code>getPath</code> with a return type of <code>null</code> is a common occurrence in case a folder has been shared publicly and the parent item has been deleted later from the database. Due to missing foreign keys the share is still considered valid and will finally resolve to the users' root directory.</p><p>In such cases an adversary with knowledge of the sharing link to a deleted item may be able to access all files of the user and not only the original shared directory.</p>",
|
||||
"ActionTaken": "<p>All usages of the <code>getPath</code> function has been revised and corrected.</p><p>Furthermore, ownCloud 8.2 will feature another security hardening where instead of returning <code>null</code> for invalid files now an exception is thrown. In case of an exception ownCloud will stop the script execution and also static source code analysis will make developers aware of such situations.</p>",
|
||||
"Acknowledgment":[
|
||||
{
|
||||
"Name":"Lukas Reschke",
|
||||
"Mail":"lukas@owncloud.com",
|
||||
"Company":"ownCloud Inc.",
|
||||
"Reason":"Vulnerability discovery and disclosure.",
|
||||
"HoF": true
|
||||
}
|
||||
]
|
||||
}
|
||||
Загрузка…
Ссылка в новой задаче