ownCloud vulnerability can be used to extract admin passwords

ownCloud has warned users about three critical security flaws in its file-sharing software which, if exploited, could reveal sensitive information and modify files. An especially and potentially impactful one is a vulnerability that could lead to disclosure of sensitive credentials and configuration in containerized deployments.

ownCloud is a very widely used open-source project that allows users to host and sync files. ownCloud says on its own website that it has 200 million users, including 600 enterprises.

The vulnerabilities stem from one of the building blocks of the project.

“The graphapi app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo).”

Microsoft’s Graph API (graphapi) is a web API that enables you to access Microsoft Cloud service resources. After you register your app and get authentication tokens for a user or service, you can make requests to the Microsoft Graph API.

A Shodan search shows many thousands of exposed services, especially in Germany and the US.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs of the found vulnerabilities are:

CVE-2023-49105 (CVSS score 9.8 out of 10): An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.

CVE-2023-49104 (CVSS score 9 out of 10): An issue was discovered in ownCloud owncloud/oauth2 before 0.6.1, when Allow Subdomains is enabled. An attacker is able to pass in a crafted redirect-url that bypasses validation, and consequently allows an attacker to redirect callbacks to a Top Level Domain (TLD) controlled by the attacker.

Redirect URLs are a critical part of the OAuth (authentication) flow. After a user successfully authorizes an application, the authorization server will redirect the user back to the application. Because the redirect URL will contain sensitive information, it is critical that the service doesn’t redirect the user to arbitrary locations.

CVE-2023-49103 (CVSS score 10 out of 10): An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When you acess this URL, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. A working Proof of Concept (PoC) for this vulnerability is already available on GitHub

Ransomware operators could have a field day with this vulnerability. As they have shown in the past, they love file-sharing apps almost as much as they love admin passwords. It allows them to roam free in your network and move the stolen data to a location under their control at your expense.

What to do

ownCloud says you should delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. Simply disabling the graphapi app won’t eliminate the vulnerability.

In newer versions, ownCloud has disabled the phpinfo function in the docker-containers, promising to apply various hardenings in future core releases to mitigate similar vulnerabilities.

Then change the following:

  • Your ownCloud admin password
  • The mail server credentials
  • Database credentials
  • Object-Store/S3 access-key

Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.

If you are unable to patch right now you can disable the “Allow Subdomains” option to disable the vulnerability as a workaround for CVE-2023-49104.

As a workaround for CVE-2023-49105, you can configure the signing-key.

Instructions on how to update ownCloud can be found on its website.