Good name for the product
The "own" in ownCloud presumably means your cloud gets owned not that YOU own it?
ownCloud has disclosed three critical vulnerabilities, the most serious of which leads to sensitive data exposure and carries a maximum severity score. The open source file-sharing software company said containerized deployments of ownCloud could expose admin passwords, mail server credentials, and license keys. Tracked as …
If I had a quid for every container that exposed creds.
I've seen it too many times, because people assumed that containers were a walled garden. Usually, I see it when creds are hardcoded in some config file/yaml somewhere.
They forgot it needs doors - ports - for most things to work, and thus your boxers are whipped down for some good penetration.
Been using owncloud for over a decade never heard of it.. poking through the source code I came across this:
https://github.com/owncloud/core/pull/38376 "pre-signed download urls for password protected public links"
I did a few web searches and the only hits for such a thing were mentions of this security advisory that I could find.
Seems like a way to allow clients that don't support cookies to access password protected things? I don't see any way in the UI to enable or disable that function(or if it's already enabled I see no option for using it). I suspect my owncloud servers have no users that would ever use such a function anyway(not that I won't patch soon). I've certainly never had the need to do that. If I needed to host something for a client like wget or something I host it outside of owncloud.
minor update - even after upgrading(from 10.9 to the latest) I can find no sign of this feature anywhere(not that I need/want it) - though I do see in the changelog it says "Bugfix - Disallow pre-signed URL access when the signing key is not initialized", though the changelog wouldn't make me think this was a important security thing by just reading that.
sort of makes me feel better that some security stuff is getting exploited in owncloud, I mean it makes me think at least there folks looking at the code and fixing some things.