back to article Trio of major holes in ownCloud expose admin passwords, allow unauthenticated file mods

ownCloud has disclosed three critical vulnerabilities, the most serious of which leads to sensitive data exposure and carries a maximum severity score. The open source file-sharing software company said containerized deployments of ownCloud could expose admin passwords, mail server credentials, and license keys. Tracked as …

  1. Hawkeye Pierce

    Good name for the product

    The "own" in ownCloud presumably means your cloud gets owned not that YOU own it?

    1. ChoHag Silver badge
      Coat

      Re: Good name for the product

      PwnCloud?

  2. spireite Silver badge

    Containers that leak....

    If I had a quid for every container that exposed creds.

    I've seen it too many times, because people assumed that containers were a walled garden. Usually, I see it when creds are hardcoded in some config file/yaml somewhere.

    They forgot it needs doors - ports - for most things to work, and thus your boxers are whipped down for some good penetration.

  3. Yorick Hunt Silver badge
    Angel

    PMSL

    Is this the same group who laughed at me when I questioned why the admin username was hard-coded and couldn't be renamed or disabled?

    A known admin username is trivial in the greater security realm, but their attitude spoke volumes of their attitude towards security and robustness.

  4. Nate Amsden

    wtf is a pre signed url

    Been using owncloud for over a decade never heard of it.. poking through the source code I came across this:

    https://github.com/owncloud/core/pull/38376 "pre-signed download urls for password protected public links"

    I did a few web searches and the only hits for such a thing were mentions of this security advisory that I could find.

    Seems like a way to allow clients that don't support cookies to access password protected things? I don't see any way in the UI to enable or disable that function(or if it's already enabled I see no option for using it). I suspect my owncloud servers have no users that would ever use such a function anyway(not that I won't patch soon). I've certainly never had the need to do that. If I needed to host something for a client like wget or something I host it outside of owncloud.

    1. Nate Amsden

      Re: wtf is a pre signed url

      minor update - even after upgrading(from 10.9 to the latest) I can find no sign of this feature anywhere(not that I need/want it) - though I do see in the changelog it says "Bugfix - Disallow pre-signed URL access when the signing key is not initialized", though the changelog wouldn't make me think this was a important security thing by just reading that.

      sort of makes me feel better that some security stuff is getting exploited in owncloud, I mean it makes me think at least there folks looking at the code and fixing some things.

  5. abend0c4 Silver badge

    .../tests/GetPhpInfo.php

    As a general rule of thumb, if you're looking for possible weaknesses in a deployed system, anything left behind with "test" in its path can often be a good place to start.

  6. monty75

    In case anyone else was wondering if these all affect the Nextcloud fork of OwnCloud : https://help.nextcloud.com/t/do-the-recent-owncloud-cve-also-affect-nextcloud/175203

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like