OwnCloud Local File Inclusion Vulnerability -01 Aug14 Network Vulnerability

Summary

This host is installed with ownCloud and is prone to local file inclusion vulnerability.

Impact

Successful exploitation will allow remote attackers to reinstall the instance overwriting the existing configuration or execute arbitrary PHP code or disclose the contents of any file on the system. Impact Level: System/Application

Solution

Upgrade to ownCloud version 5.0.17 or 6.0.4 or later. For updates refer to http://owncloud.org

Insight

The flaw exists due to the Routing component not properly sanitizing user-supplied input to the 'filename' parameter in a require_once statement.

Affected

ownCloud Server 5.0.x before version 5.0.17, 6.0.x before version 6.0.4

Detection

Get the installed version with the help of detect NVT and check the version is vulnerable or not.

References

http://owncloud.org/changelog/
http://secunia.com/advisories/59543
http://www.osvdb.com/106412

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-4929

CVSS	Base Score: 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Apache Tomcat 'sendfile' Request Attributes Information Disclosure Vulnerability
Apache Struts2 'XWork' Information Disclosure Vulnerability
Admidio get_file.php Remote File Disclosure Vulnerability
AjaXplorer Remote Command Injection and Local File Disclosure Vulnerabilities
7Media Web Solutions EduTrac Directory Traversal Vulnerability

ownCloud Local File Inclusion Vulnerability -01 Aug14

Take action and discover your vulnerabilities