ownCloud vulnerability with maximum 10 severity score comes under “mass” exploitation | Ars Technica
“The vulnerability, which carries the maximum severity rating of 10, makes it possible to obtain passwords and cryptographic keys allowing administrative control of a vulnerable server by sending a simple Web request to a static URL”
Honestly, all applications are vulnerable AF, especially the open source projects without a major team behind them. I work in a security research team and we find critical bugs like this in a weekly basis. Even in major projects which you would be scared to know about. I personally wouldn’t expose anything except SSH or a VPN, or if I have to expose a web app, it’s going inside a VLAN with very restrictive firewall rules, proper logging, and a reverse proxy enforcing authentication via an OIDC based IDP.
We generally spend a couple of days to a week before finding something critical allowing RCE.
This is why I don’t expose anything other than my wireguard on my network
Also worth noting here: Exposing wireguard is quite safe because the daemon doesn’t even respond unless it recognizes your key. It just drops the UDP packet otherwise.
Nothing is unhackable, but this is damn near close. Such a brilliant design.
Thanks, OP. Now if only I could figure out how to change the SQLite database password in ownCloud 10.10 (it’s not stored in config.php, but there is a “passwordsalt” configured there).
I’m surprised that ownCloud didn’t use a single PHP entrypoint. In PHP software you must restrict access to .php files, that’s front controller basis. They really did bad and I’m very disappointed.
OwnedCloud.
Thank you, thank you.
That’s why I keep nextcloud behind http basic auth. Don’t trust those software to expose them directly to Internet.
Basic auth is better than no auth, but it is absolutely not a recommended auth method these days
I use it on top of nextcloud auth
Basic auth is a base64 of your login credentials, might as well be plain text. You should absolutely not be using basic auth if you have other options
Ist this also affecting ownCloud OCIS as well?
To my understanding, OCIS is a complete rewrite of OwnCloud and was written in Go. So my intuition tells me it’s not but I could be wrong.
Oof size: LARGE.
Oof size: 10 (maximum oof size)