TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0

Published: 2012/04/18
Version 1.0

Affected products:
    ownCloud version 3.0.0 (others not tested)
    http://owncloud.org

References: 
    TC-SA-2012-01 https://www.secuvera.de/advisories/TC-SA-2012-01.txt (used for updates)
    CVE-2012-2269 – XSS in ownCloud 3.0.0
    CVE-2012-2270 – Open Redirect in ownCloud 3.0.0

Summary:
    "ownCloud gives you easy and universal access to all of your files.
     It also provides a platform to easily view, sync and share your 
     contacts, calendars, bookmarks and files across all your devices.
     ownCloud 3 brings loads of new features and hundreds of fixes"

Vulnerable Scripts:
    stored XSS:
     - /apps/contacts/ajax/addcard.php (any input field)
     - /apps/contacts/ajax/addproperty.php (parameter)
     - /apps/contacts/ajax/createaddressbook (name)

    reflected XSS:
     - /files/download.php (file)
     - /files/index.php (name, user, redirect_url)
	
    open redirect after login:
     - Login Page

Examples:
    stored XSS:
      - add a new contact and enter <script>alert("Help Me")</script> in any field, save the contact
      - add a new date in calendar with name <script>alert("Help Me")</script>"
      
    reflected XSS (un-authenticated):
      - http://$domain/owncloud/index.php?redirect_url=1"><script>alert("Help Me")</script><l=" (must not be logged in)

    open redirect after login:
      - http://$domain/owncloud/index.php?redirect_url=http%3a//www.boeserangreifer.de/

Possible solutions:
    - update to OwnCloud 3.0.2

Disclosure Timeline:
    2012/02/01 vendor contacted via #owncloud on freenode IRC, got E-Mail
    2012/02/01 vendor contacted via E-Mail
    2012/02/02 vendor response 
    2012/04/16 asked vendor for status updates
    2012/04/16 vendor status: patched with version 3.0.2
    2012/04/18 public disclosure

Credits:
    Tobias Glemser (tglemser@secuvera.de)
    secuvera GmbH, Germany (former Tele-Consulting security networking training GmbH)
    www.secuvera.de
    
Disclaimer:
    All information is provided without warranty. The intent is to 
    provide information to secure infrastructure and/or systems, not
    to be able to attack or damage. Therefore Tele-Consulting shall 
    not be liable for any direct or indirect damages that might be 
    caused by using this information.