Package: owncloud
Version: 4.0.4debian-1
Severity: grave
Tags: security
Justification: user security hole
The following security issues are still open in Wheezy (although they're fixed
in sid):
Since Wheezy is frozen, this either needs to be fixed with an upload to
testing-proposed-updates containing only the security fixes or by getting 4.0.7
into Wheezy (given how the freeze has been so far, the former is most likely
preferred by release managers)
Cheers,
Moritz
Please see http://seclists.org/oss-sec/2012/q3/363 :
Version 4.0.7 Aug 14th 2012
Vulnerability of type .htaccess upload in file /lib/migrate.php.
A user could import a crafted import.zip to upload a .htaccess to the
data folder which could lead to a code execution.
https://github.com/owncloud/core/commit/4fd069b47906ebcf83887970c732d464dbe7d37a
Please use CVE-2012-4389 for this issue.
====
Vulnerability of type "user enumeration" in file remote.php.
It has been discovered that an authenticated user could get a list of
all registered users.
https://github.com/owncloud/core/commit/4682846d3ecdad15c6a60126dda75eb7fa97c707
Please use CVE-2012-4390 for this issue.
====
Vulnerability of type "CSRF" in file appconfig.php
The appconfig.php wasn't checking the CSRF token. This could lead that
an attacker is able to edit the app configurations.
https://github.com/owncloud/core/commit/5192eecce239a0b7ade1e60a6cf03075e5cfc188
Please use CVE-2012-4391 for this issue.
====
Vulnerability of type "auth bypass" in file index.php
Due to unproper checking the cookie, an unauthenticated attacker could
login as as user if the user never used the "remember password"
function.
https://github.com/owncloud/core/commit/baab13ae134ff109c043371a7813df9b9bd4967b
Please use CVE-2012-4392 for this issue.
- -------------
Version 4.0.6 Aug 1th 2012
Security: Check for Admin user in
appconfig.php (CSRF)
Registered user could change app configs without admin rights.
https://github.com/owncloud/core/commit/9605e1926c6081e88326bf78a02c1d1b83126c4f
Security: Several CSRF security fixes
The admin settings and the bookmark app wasn't checking the CSRF token.
https://github.com/owncloud/core/commit/38271ded753bc9ea9943cef3c2706f8d71f3a58f
and
https://github.com/owncloud/core/commit/93579d88dcea389205c01ddf6da41f37ad9b8745
CVS merged into a single CVE
Please use CVE-2012-4393 for these issues.
- -------------
Version 4.0.5 July 20th
Reflected XSS (XSS)
The filelist wasn't sanitzing HTML values in image files.
https://github.com/owncloud/core/commit/d203fa2c50f4b2791e68e2b8ab9a0f8b94f9c9f8
Please use CVE-2012-4394 for this issue.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
