Security Breach

ijazm123 · February 7, 2020, 6:24am

Steps to reproduce

Send a request to get a public URL for all files under a folder without Authorization token in the
header.

Expected behavior

As the request doesn’t have Authorization in the header, it should be denied.

Actual behavior

Got the public URL for all the files.

Server configuration

Operating system: Ubuntu 16.04

Web server: Apache

Database: Mysql

PHP version: PHP 7.0.33-0ubuntu0.16.04.5

ownCloud version: (see ownCloud admin page)
10.2.1

Updated from an older ownCloud or fresh install: Fresh

Where did you install ownCloud from: Officail website

Signing status (ownCloud 9.0 and above):
Technical information

The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results

passman
- EXCEPTION
  - OC\IntegrityCheck\Exceptions\MissingSignatureException
  - Signature data not found.

Raw output

Array
(
    [passman] => Array
        (
            [EXCEPTION] => Array
                (
                    [class] => OC\IntegrityCheck\Exceptions\MissingSignatureException
                    [message] => Signature data not found.
                )

        )

)

Admin Edit: removed parts of template that weren’t filled out

eneubauer · February 7, 2020, 9:46am

Please explain in more detail how you did that.

You’re ownCloud version isn’t up to date, please update to 10.3.2 However since 10.3.0 ownCloud doesn’t support PHP 7.0 any more. So you’ll have to update your PHP version.

cs35 · February 7, 2020, 9:48am

Hello,

i’ve tried the “steps” but I couldn’t reproduce the breach, I’ve noticed an issue was created.