OwnCloud Asset Pipeline Feature Remote Path Disclosure Vulnerability Network Vulnerability

Summary

The host is installed with ownCloud and is prone to path disclosure vulnerability

Impact

Successful exploitation will allow remote attackers to conduct a brute-force attack and gain access to the the installation path of the program. Impact Level: Application

Solution

Upgrade to ownCloud Server 7.0.3 or later. For updates refer to http://owncloud.org

Insight

The error exists due to flaw in the Asset Pipeline feature due to the program is generating files on the local filesystem with a filename that is created by hashing the original CSS and JS absolute file paths using MD5.

Affected

ownCloud Server 7.x before 7.0.3

Detection

Get the installed version with the help of detect NVT and check the version is vulnerable or not.

References

http://osvdb.org/115173
https://owncloud.org/security/advisory/?id=oc-sa-2014-021

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-9044

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Andy's PHP Knowledgebase Multiple Cross-Site Scripting Vulnerabilities
Aardvark Topsites <= 4.2.2 Remote File Inclusion Vulnerability
Adiscon LogAnalyzer 'highlight' Parameter Cross Site Scripting Vulnerability
Annuaire PHP 'sites_inscription.php' Cross Site Scripting Vulnerability
Apache Struts2 showcase namespace XSS Vulnerability

ownCloud Asset Pipeline Feature Remote Path Disclosure Vulnerability

Take action and discover your vulnerabilities