The maintainers of the open-source file-sharing software ownCloud have warned of a few critical security flaws that could be exploited to disclose delicate facts and modify information.
A quick description of the vulnerabilities is as follows –
- Disclosure of delicate credentials and configuration in containerized deployments impacting graphapi versions from .2. to .3.. (CVSS rating: 10.)
- WebDAV Api Authentication Bypass using Pre-Signed URLs impacting core versions from 10.6. to 10.13. (CVSS score: 9.8)
- Subdomain Validation Bypass impacting oauth2 prior to version .6.1 (CVSS score: 9.)
“The ‘graphapi’ app depends on a third-party library that presents a URL. When this URL is accessed, it reveals the configuration details of the PHP setting (phpinfo),” the firm claimed of the 1st flaw.
“This information contains all the surroundings variables of the web server. In containerized deployments, these surroundings variables might involve sensitive knowledge these types of as the ownCloud admin password, mail server credentials, and license key.”
As a repair, ownCloud is recommending to delete the “owncloud/applications/graphapi/vendor/microsoft/microsoft-graph/assessments/GetPhpInfo.php” file and disable the ‘phpinfo’ perform. It is also advising people to transform secrets like the ownCloud admin password, mail server and databases credentials, and Object-Retail outlet/S3 access keys.
The second challenge can make it possible to accessibility, modify or delete any file sans authentication if the username of the target is recognised and the sufferer has no signing-essential configured, which is the default behavior.
And lastly, the 3rd flaw relates to a situation of inappropriate obtain handle that allows an attacker to “pass in a specially crafted redirect-url which bypasses the validation code and hence lets the attacker to redirect callbacks to a TLD managed by the attacker.”
In addition to adding hardening actions to the validation code in the oauth2 app, ownCloud has proposed that customers disable the “Permit Subdomains” selection as a workaround.
The disclosure arrives as a proof-of-concept (PoC) exploit has been unveiled for a critical distant code execution vulnerability in the CrushFTP answer (CVE-2023-43177) that could be weaponized by an unauthenticated attacker to access documents, run arbitrary packages on the host, and receive basic-textual content passwords.
The issue has been tackled in CrushFTP model 10.5.2, which was produced on August 10, 2023.
“This vulnerability is critical because it does NOT need any authentication,” CrushFTP noted in an advisory unveiled at the time. “It can be completed anonymously and steal the session of other consumers and escalate to an administrator person.”
Located this posting exciting? Comply with us on Twitter and LinkedIn to study a lot more exceptional content we submit.
Some parts of this short article are sourced from: