The maintainers of the open-resource file-sharing computer software ownCloud have warned of three critical security flaws that could be exploited to disclose delicate info and modify documents.
A brief description of the vulnerabilities is as follows –
- Disclosure of delicate credentials and configuration in containerized deployments impacting graphapi variations from .2. to .3.. (CVSS score: 10.)
- WebDAV Api Authentication Bypass employing Pre-Signed URLs impacting core variations from 10.6. to 10.13. (CVSS score: 9.8)
- Subdomain Validation Bypass impacting oauth2 prior to variation .6.1 (CVSS rating: 9.)
“The ‘graphapi’ application depends on a third-party library that presents a URL. When this URL is accessed, it reveals the configuration facts of the PHP surroundings (phpinfo),” the organization reported of the very first flaw.
“This details involves all the natural environment variables of the web server. In containerized deployments, these environment variables may perhaps include things like sensitive knowledge this kind of as the ownCloud admin password, mail server qualifications, and license critical.”
As a correct, ownCloud is recommending to delete the “owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/checks/GetPhpInfo.php” file and disable the ‘phpinfo’ function. It is also advising consumers to change techniques like the ownCloud admin password, mail server and database credentials, and Object-Store/S3 entry keys.
The next dilemma tends to make it achievable to obtain, modify or delete any file sans authentication if the username of the sufferer is acknowledged and the target has no signing-crucial configured, which is the default habits.
And finally, the 3rd flaw relates to a situation of poor entry manage that lets an attacker to “go in a specially crafted redirect-url which bypasses the validation code and hence will allow the attacker to redirect callbacks to a TLD managed by the attacker.”
In addition to including hardening steps to the validation code in the oauth2 application, ownCloud has recommended that users disable the “Make it possible for Subdomains” solution as a workaround.
The disclosure comes as a proof-of-idea (PoC) exploit has been unveiled for a critical distant code execution vulnerability in the CrushFTP remedy (CVE-2023-43177) that could be weaponized by an unauthenticated attacker to accessibility documents, operate arbitrary packages on the host, and acquire simple-text passwords.
The issue has been tackled in CrushFTP model 10.5.2, which was launched on August 10, 2023.
“This vulnerability is critical mainly because it does NOT involve any authentication,” CrushFTP pointed out in an advisory launched at the time. “It can be finished anonymously and steal the session of other consumers and escalate to an administrator user.”
Uncovered this write-up appealing? Comply with us on Twitter and LinkedIn to read through more exclusive written content we submit.
Some parts of this article are sourced from:
thehackernews.com