ownCloud Security Advisories (2013-014, 2013-015, 2013-016)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

ownCloud Security Advisories (2013-014, 2013-015, 2013-016)

Lukas Reschke-2
# XSS vulnerability in jPlayer (oC-SA-2013-014)
Web: https://owncloud.org/about/security/advisories/oC-SA-2013-014/

## CVE IDENTIFIERS
- CVE-2013-1942 (jPlayer)

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.4
- ownCloud Server < 4.5.9
- ownCloud Server < 4.0.14

## RISK
- High

## COMMITS
- 53672a0 (stable5)
- 8716b7f (stable45)
- 60f6bfa (stable4)


## DESCRIPTION
A cross-site scripting (XSS) vulnerability in all ownCloud versions
prior to 5.0.4 including the 4.x branch allows remote attackers to
execute arbitrary javascript when a user opens a special crafted URL.

This vulnerability exists in the used 3rdparty plugin ?jPlayer?,
?jPlayer? released version 2.2.20 which addresses the problem. This
version is not yet officially released and only available via their
GIT repository.


## CREDITS
The ownCloud Team would like to thank Malte Batram (batr.am) for
discovering this vulnerability and responsibly disclosing this to us
and upstream.


## RESOLUTION
Update to ownCloud Server 5.0.4, 4.5.9 or 4.0.14
http://download.owncloud.org/community/owncloud-5.0.4.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.9.tar.bz2
http://download.owncloud.org/community/owncloud-4.0.13.tar.bz2

---------------------------------------

# Postgre: Insecure database password generator (oC-SA-2013-015)
Web: https://owncloud.org/about/security/advisories/oC-SA-2013-015/

## CVE IDENTIFIERS
- CVE-2013-1941

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.4
- ownCloud Server < 4.5.9
- ownCloud Server < 4.0.14

## RISK
- Critical

## COMMITS
- 9a4fe09 (stable5)
- 463039d (stable45)
- cdd10ba (stable4)

## DESCRIPTION

Due to using ?time()? as random source in the installation routine,
the entropy of the generated PostgreSQL database user password is very
low and can be easily guessed.

We recommend every PostgreSQL admin to change the database user
password as soon as possible!

Note: This vulnerability affects just servers using PostgreSQL as database.

## RESOLUTION
Update to ownCloud Server 5.0.4, 4.5.9 or 4.0.14
http://download.owncloud.org/community/owncloud-5.0.4.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.9.tar.bz2
http://download.owncloud.org/community/owncloud-4.0.13.tar.bz2


 ---------------------------------------

# Windows: Local file disclosure (oC-SA-2013-016)
Web: https://owncloud.org/about/security/advisories/oC-SA-2013-016/

## CVE IDENTIFIERS
- CVE-2013-1939 (SabreDAV)

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.4
- ownCloud Server < 4.5.9
- ownCloud Server < 4.0.14

## RISK
- High

## COMMITS
- c23a065 (stable5)
- ade2831 (stable45)
- 792c5ec (stable4)

## DESCRIPTION
Due to not rejecting ?\? as path separator in all ownCloud versions
prior to 5.0.4 including the 4.x branch an authenticated remote
attacker is able to download arbitrary files from the server when
running under Windows.

This vulnerability exists inside our used DAV implementation
?SabreDAV? and was found by the ownCloud security team. SabreDAV
released fixed versions to address this problem.

## RESOLUTION
Update to ownCloud Server 5.0.4, 4.5.9 or 4.0.14
http://download.owncloud.org/community/owncloud-5.0.4.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.9.tar.bz2
http://download.owncloud.org/community/owncloud-4.0.13.tar.bz2


--
ownCloud
Your Cloud, Your Data, Your Way!

GPG: 0xEB32B77BA406BE99