diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2017-02-05 14:19:25 +0300 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2017-02-05 14:19:25 +0300 |
| commit | 43bef2ffe3f67ac26f5f24f73bed7479d4c12867 (patch) | |
| tree | e9517934fc25b3e5ea43ab1c7a9ba64ce052098d /advisories | |
| parent | 2e437ecc0ed4e6629fc88d041897b9f5edde2806 (diff) | |
Add new advisories
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'advisories')
| -rw-r--r-- | advisories/advisories.rss | 36 | ||||
| -rw-r--r-- | advisories/advisory-side.php | 13 | ||||
| -rw-r--r-- | advisories/nc-sa-2017-001.php | 39 | ||||
| -rw-r--r-- | advisories/nc-sa-2017-002.php | 39 | ||||
| -rw-r--r-- | advisories/nc-sa-2017-003.php | 38 | ||||
| -rw-r--r-- | advisories/nc-sa-2017-004.php | 38 | ||||
| -rw-r--r-- | advisories/nc-sa-2017-005.php | 38 | ||||
| -rw-r--r-- | advisories/nc-sa-2017-006.php | 38 | ||||
| -rw-r--r-- | advisories/server-list-part.php | 16 |
9 files changed, 288 insertions, 7 deletions
diff --git a/advisories/advisories.rss b/advisories/advisories.rss index 18f8d551..19c28a31 100644 --- a/advisories/advisories.rss +++ b/advisories/advisories.rss @@ -5,6 +5,42 @@ <link>https://nextcloud.com/security/advisories/</link> <description>The Nextcloud security advisories as a RSS feed</description> <ttl>1800</ttl><item> + <title>Server: Content-Spoofing in "files" app (nC-SA-2017-006)</title> + <description><p>The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-006">For more information please consult the official advisory.</a></strong></p></description> + <link>https://nextcloud.com/security/advisory/?id=nC-SA-2017-006</link> + <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2017-006</guid> + <pubDate>Sun, 05 Feb 2017 11:36:08 +0100</pubDate> + </item><item> + <title>Server: Bypassing quota limitation (nC-SA-2017-005)</title> + <description><p>Due to not properly sanitzing values provided by the `OC-Total-Length` HTTP header an authenticated adversary may be able to exceed their configured user quota. Thus using more space than allowed by the administrator.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-005">For more information please consult the official advisory.</a></strong></p></description> + <link>https://nextcloud.com/security/advisory/?id=nC-SA-2017-005</link> + <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2017-005</guid> + <pubDate>Sun, 05 Feb 2017 11:36:08 +0100</pubDate> + </item><item> + <title>Server: Denial of Service attack (nC-SA-2017-004)</title> + <description><p>Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-004">For more information please consult the official advisory.</a></strong></p></description> + <link>https://nextcloud.com/security/advisory/?id=nC-SA-2017-004</link> + <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2017-004</guid> + <pubDate>Sun, 05 Feb 2017 11:36:08 +0100</pubDate> + </item><item> + <title>Server: Error message discloses existence of file in write-only share (nC-SA-2017-003)</title> + <description><p>Due to an error in the application logic an adversary with access to a write-only share may enumerate the names of existing files and subfolders by comparing the exception messages.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-003">For more information please consult the official advisory.</a></strong></p></description> + <link>https://nextcloud.com/security/advisory/?id=nC-SA-2017-003</link> + <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2017-003</guid> + <pubDate>Sun, 05 Feb 2017 11:36:08 +0100</pubDate> + </item><item> + <title>Server: Creation of folders in read-only folders despite lacking permissions (nC-SA-2017-002)</title> + <description><p>Due to a logical error in the file caching layer an authenticated adversary is able to create empty folders inside a shared folder.</p><p>Note that this only affects folders and files that the adversary has at least read-only permissions for.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-002">For more information please consult the official advisory.</a></strong></p></description> + <link>https://nextcloud.com/security/advisory/?id=nC-SA-2017-002</link> + <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2017-002</guid> + <pubDate>Sun, 05 Feb 2017 11:36:08 +0100</pubDate> + </item><item> + <title>Server: Permission increase on re-sharing via OCS API (nC-SA-2017-001)</title> + <description><p>A permission related issue within the OCS sharing API allowed an authenticated adversary to reshare shared files with an increasing permission set. This may allow an attacker to edit files in a share despite having only a 'read' permission set.</p><p>Note that this only affects folders and files that the adversary has at least read-only permissions for.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-001">For more information please consult the official advisory.</a></strong></p></description> + <link>https://nextcloud.com/security/advisory/?id=nC-SA-2017-001</link> + <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2017-001</guid> + <pubDate>Sun, 05 Feb 2017 11:36:08 +0100</pubDate> + </item><item> <title>Server: Content-Spoofing in "dav" app (nC-SA-2016-011)</title> <description><p>The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2016-011">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2016-011</link> diff --git a/advisories/advisory-side.php b/advisories/advisory-side.php index 7fd0e0b7..0cc69511 100644 --- a/advisories/advisory-side.php +++ b/advisories/advisory-side.php @@ -1,6 +1,7 @@ -<br/><p>Nextcloud server 10.0.1</p> -<a href="/security/advisory/?id=nc-sa-2016-006">SMB User Authentication Bypass</a><br/> -<a href="/security/advisory/?id=nc-sa-2016-008">Stored XSS in CardDAV image export</a><br/> -<a href="/security/advisory/?id=nc-sa-2016-009">Reflected XSS in Gallery application</a><br/> -<a href="/security/advisory/?id=nc-sa-2016-010">Content-Spoofing in "files" app</a><br/> -<a href="/security/advisory/?id=nc-sa-2016-011">Content-Spoofing in "dav" app</a><br/> +<br/><p>Nextcloud server 10.0.2</p> +<a href="/security/advisory/?id=nc-sa-2017-001">Permission increase on re-sharing via OCS API</a><br/> +<a href="/security/advisory/?id=nc-sa-2017-002">Creation of folders in read-only folders despite lacking permissions</a><br/> +<a href="/security/advisory/?id=nc-sa-2017-003">Error message discloses existence of file in write-only share</a><br/> +<a href="/security/advisory/?id=nc-sa-2017-004">Denial of Service attack</a><br/> +<a href="/security/advisory/?id=nc-sa-2017-005">Bypassing quota limitation</a><br/> +<a href="/security/advisory/?id=nc-sa-2017-006">Content-Spoofing in "files" app</a><br/> diff --git a/advisories/nc-sa-2017-001.php b/advisories/nc-sa-2017-001.php new file mode 100644 index 00000000..ec6bdfdb --- /dev/null +++ b/advisories/nc-sa-2017-001.php @@ -0,0 +1,39 @@ +<div class="row page-content-header"> +<div class="col-md-4"> + <h1>Security Advisory</h1> + <a href="/security/advisories/">Back to advisories</a> +</div> +</div> +<div class="row"> + <div class="col-md-4"> + <?php get_template_part('advisories/advisory-side'); ?> + </div> + <div class="col-md-8"> + <h2>Permission increase on re-sharing via OCS API (NC-SA-2017-001)</h2> + <p>5th February 2017</p> + <p>Risk level: <strong>Medium</strong></p> + <p>CVSS v3 Base Score: 5.4 (<a href="https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N">AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</a>)</p> + <p>CWE: <a href="https://cwe.mitre.org/data/definitions/275.html">Permission Issues (CWE-275)</a></p> + <p>HackerOne report: <a href="https://hackerone.com/reports/169680">169680</a></p> + <h3>Description</h3> + <p><p>A permission related issue within the OCS sharing API allowed an authenticated adversary to reshare shared files with an increasing permission set. This may allow an attacker to edit files in a share despite having only a 'read' permission set.</p> +<p>Note that this only affects folders and files that the adversary has at least read-only permissions for.</p> +</p> + <h3>Affected Software</h3> + <ul> + <li>Nextcloud Server < <strong>10.0.2</strong> (CVE assignment pending)</li> +<li>Nextcloud Server < <strong>9.0.55</strong> (CVE assignment pending)</li> + + </ul> + <h3>Action Taken</h3> + <p><p>The permissions are now properly checked on the OCS endpoint.</p> +</p> + <h3>Acknowledgements</h3> + <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> + <ul> + <li><a href="https://secator.com/" target="_blank" rel="noreferrer">secator - Vulnerability discovery and disclosure.</a></li> + </ul> + <br/> + <small style="color:grey">This advisory is licensed <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>.</small> + </div> +</div> diff --git a/advisories/nc-sa-2017-002.php b/advisories/nc-sa-2017-002.php new file mode 100644 index 00000000..4729dbf4 --- /dev/null +++ b/advisories/nc-sa-2017-002.php @@ -0,0 +1,39 @@ +<div class="row page-content-header"> +<div class="col-md-4"> + <h1>Security Advisory</h1> + <a href="/security/advisories/">Back to advisories</a> +</div> +</div> +<div class="row"> + <div class="col-md-4"> + <?php get_template_part('advisories/advisory-side'); ?> + </div> + <div class="col-md-8"> + <h2>Creation of folders in read-only folders despite lacking permissions (NC-SA-2017-002)</h2> + <p>5th February 2017</p> + <p>Risk level: <strong>Low</strong></p> + <p>CVSS v3 Base Score: 4.1 (<a href="https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N">AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N</a>)</p> + <p>CWE: <a href="https://cwe.mitre.org/data/definitions/275.html">Permission Issues (CWE-275)</a></p> + <p>HackerOne report: <a href="https://hackerone.com/reports/169680">169680</a></p> + <h3>Description</h3> + <p><p>Due to a logical error in the file caching layer an authenticated adversary is able to create empty folders inside a shared folder.</p> +<p>Note that this only affects folders and files that the adversary has at least read-only permissions for.</p> +</p> + <h3>Affected Software</h3> + <ul> + <li>Nextcloud Server < <strong>10.0.2</strong> (CVE assignment pending)</li> +<li>Nextcloud Server < <strong>9.0.55</strong> (CVE assignment pending)</li> + + </ul> + <h3>Action Taken</h3> + <p><p>The file cache operation is now only performed if the file system operation succeeded.</p> +</p> + <h3>Acknowledgements</h3> + <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> + <ul> + <li><a href="https://secator.com/" target="_blank" rel="noreferrer">secator - Vulnerability discovery and disclosure.</a></li> + </ul> + <br/> + <small style="color:grey">This advisory is licensed <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>.</small> + </div> +</div> diff --git a/advisories/nc-sa-2017-003.php b/advisories/nc-sa-2017-003.php new file mode 100644 index 00000000..9e49cb47 --- /dev/null +++ b/advisories/nc-sa-2017-003.php @@ -0,0 +1,38 @@ +<div class="row page-content-header"> +<div class="col-md-4"> + <h1>Security Advisory</h1> + <a href="/security/advisories/">Back to advisories</a> +</div> +</div> +<div class="row"> + <div class="col-md-4"> + <?php get_template_part('advisories/advisory-side'); ?> + </div> + <div class="col-md-8"> + <h2>Error message discloses existence of file in write-only share (NC-SA-2017-003)</h2> + <p>5th February 2017</p> + <p>Risk level: <strong>Low</strong></p> + <p>CVSS v3 Base Score: 3.7 (<a href="https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L">AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L</a>)</p> + <p>CWE: <a href="https://cwe.mitre.org/data/definitions/209.html">Information Exposure Through an Error Message (CWE-209)</a></p> + <p>HackerOne report: <a href="https://hackerone.com/reports/174524">174524</a></p> + <h3>Description</h3> + <p><p>Due to an error in the application logic an adversary with access to a write-only share may enumerate the names of existing files and subfolders by comparing the exception messages.</p> +</p> + <h3>Affected Software</h3> + <ul> + <li>Nextcloud Server < <strong>10.0.2</strong> (CVE assignment pending)</li> +<li>Nextcloud Server < <strong>9.0.55</strong> (CVE assignment pending)</li> + + </ul> + <h3>Action Taken</h3> + <p><p>The error in the application logic has been addressed.</p> +</p> + <h3>Acknowledgements</h3> + <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> + <ul> + <li><a href="https://secator.com/" target="_blank" rel="noreferrer">secator - Vulnerability discovery and disclosure.</a></li> + </ul> + <br/> + <small style="color:grey">This advisory is licensed <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>.</small> + </div> +</div> diff --git a/advisories/nc-sa-2017-004.php b/advisories/nc-sa-2017-004.php new file mode 100644 index 00000000..b19760ce --- /dev/null +++ b/advisories/nc-sa-2017-004.php @@ -0,0 +1,38 @@ +<div class="row page-content-header"> +<div class="col-md-4"> + <h1>Security Advisory</h1> + <a href="/security/advisories/">Back to advisories</a> +</div> +</div> +<div class="row"> + <div class="col-md-4"> + <?php get_template_part('advisories/advisory-side'); ?> + </div> + <div class="col-md-8"> + <h2>Denial of Service attack (NC-SA-2017-004)</h2> + <p>5th February 2017</p> + <p>Risk level: <strong>Low</strong></p> + <p>CVSS v3 Base Score: 5 (<a href="https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L">AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L</a>)</p> + <p>CWE: <a href="https://cwe.mitre.org/data/definitions/674.html">Uncontrolled Recursion (CWE-674)</a></p> + <p>HackerOne report: <a href="https://hackerone.com/reports/174524">174524</a></p> + <h3>Description</h3> + <p><p>Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service.</p> +</p> + <h3>Affected Software</h3> + <ul> + <li>Nextcloud Server < <strong>10.0.2</strong> (CVE assignment pending)</li> +<li>Nextcloud Server < <strong>9.0.55</strong> (CVE assignment pending)</li> + + </ul> + <h3>Action Taken</h3> + <p><p>The code path leading to the endless recursion is now properly handled.</p> +</p> + <h3>Acknowledgements</h3> + <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> + <ul> + <li><a href="https://secator.com/" target="_blank" rel="noreferrer">secator - Vulnerability discovery and disclosure.</a></li> + </ul> + <br/> + <small style="color:grey">This advisory is licensed <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>.</small> + </div> +</div> diff --git a/advisories/nc-sa-2017-005.php b/advisories/nc-sa-2017-005.php new file mode 100644 index 00000000..bfd20c2d --- /dev/null +++ b/advisories/nc-sa-2017-005.php @@ -0,0 +1,38 @@ +<div class="row page-content-header"> +<div class="col-md-4"> + <h1>Security Advisory</h1> + <a href="/security/advisories/">Back to advisories</a> +</div> +</div> +<div class="row"> + <div class="col-md-4"> + <?php get_template_part('advisories/advisory-side'); ?> + </div> + <div class="col-md-8"> + <h2>Bypassing quota limitation (NC-SA-2017-005)</h2> + <p>5th February 2017</p> + <p>Risk level: <strong>Low</strong></p> + <p>CVSS v3 Base Score: 0 (<a href="https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:N">AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:N</a>)</p> + <p>CWE: <a href="https://cwe.mitre.org/data/definitions/807.html">Reliance on Untrusted Inputs in a Security Decision (CWE-807)</a></p> + <p>HackerOne report: <a href="https://hackerone.com/reports/173622">173622</a></p> + <h3>Description</h3> + <p><p>Due to not properly sanitzing values provided by the `OC-Total-Length` HTTP header an authenticated adversary may be able to exceed their configured user quota. Thus using more space than allowed by the administrator.</p> +</p> + <h3>Affected Software</h3> + <ul> + <li>Nextcloud Server < <strong>10.0.2</strong> (CVE assignment pending)</li> +<li>Nextcloud Server < <strong>9.0.55</strong> (CVE assignment pending)</li> + + </ul> + <h3>Action Taken</h3> + <p><p>The `OC-Total-Length` HTTP header is now properly sanitized.</p> +</p> + <h3>Acknowledgements</h3> + <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> + <ul> + <li>Nordin - Vulnerability discovery and disclosure.</li> + </ul> + <br/> + <small style="color:grey">This advisory is licensed <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>.</small> + </div> +</div> diff --git a/advisories/nc-sa-2017-006.php b/advisories/nc-sa-2017-006.php new file mode 100644 index 00000000..6519ab31 --- /dev/null +++ b/advisories/nc-sa-2017-006.php @@ -0,0 +1,38 @@ +<div class="row page-content-header"> +<div class="col-md-4"> + <h1>Security Advisory</h1> + <a href="/security/advisories/">Back to advisories</a> +</div> +</div> +<div class="row"> + <div class="col-md-4"> + <?php get_template_part('advisories/advisory-side'); ?> + </div> + <div class="col-md-8"> + <h2>Content-Spoofing in "files" app (NC-SA-2017-006)</h2> + <p>5th February 2017</p> + <p>Risk level: <strong>Low</strong></p> + <p>CVSS v3 Base Score: 3.1 (<a href="https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N">AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N</a>)</p> + <p>CWE: <a href="https://cwe.mitre.org/data/definitions/451.html">User Interface (UI) Misrepresentation of Critical Information (CWE-451)</a></p> + <p>HackerOne report: <a href="https://hackerone.com/reports/179073">179073</a></p> + <h3>Description</h3> + <p><p>The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information.</p> +</p> + <h3>Affected Software</h3> + <ul> + <li>Nextcloud Server < <strong>10.0.2</strong> (CVE assignment pending)</li> +<li>Nextcloud Server < <strong>9.0.55</strong> (CVE assignment pending)</li> + + </ul> + <h3>Action Taken</h3> + <p><p>The user-controlled content is now not trusted anymore unless the folder structure exists on the file system.</p> +</p> + <h3>Acknowledgements</h3> + <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> + <ul> + <li><a href="https://twitter.com/AhsanTahirAT" target="_blank" rel="noreferrer">Ahsan Tahir - Vulnerability discovery and disclosure.</a></li> + </ul> + <br/> + <small style="color:grey">This advisory is licensed <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>.</small> + </div> +</div> diff --git a/advisories/server-list-part.php b/advisories/server-list-part.php index 4c2af4c5..5073f8d2 100644 --- a/advisories/server-list-part.php +++ b/advisories/server-list-part.php @@ -1,4 +1,11 @@ -<p>Version 10.0.1</p> +<p>Version 10.0.2</p> +<a href="/security/advisory/?id=nc-sa-2017-001">Permission increase on re-sharing via OCS API</a><br> +<a href="/security/advisory/?id=nc-sa-2017-002">Creation of folders in read-only folders despite lacking permissions</a><br> +<a href="/security/advisory/?id=nc-sa-2017-003">Error message discloses existence of file in write-only share</a><br> +<a href="/security/advisory/?id=nc-sa-2017-004">Denial of Service attack</a><br> +<a href="/security/advisory/?id=nc-sa-2017-005">Bypassing quota limitation</a><br> +<a href="/security/advisory/?id=nc-sa-2017-006">Content-Spoofing in "files" app</a><br> +<br/><p>Version 10.0.1</p> <a href="/security/advisory/?id=nc-sa-2016-006">SMB User Authentication Bypass</a><br> <a href="/security/advisory/?id=nc-sa-2016-008">Stored XSS in CardDAV image export</a><br> <a href="/security/advisory/?id=nc-sa-2016-009">Reflected XSS in Gallery application</a><br> @@ -6,6 +13,13 @@ <a href="/security/advisory/?id=nc-sa-2016-011">Content-Spoofing in "dav" app</a><br> <br/><p>Version 10.0.0</p> <a href="/security/advisory/?id=nc-sa-2016-007">Improper authorization check on removing shares</a><br> +<br/><p>Version 9.0.55</p> +<a href="/security/advisory/?id=nc-sa-2017-001">Permission increase on re-sharing via OCS API</a><br> +<a href="/security/advisory/?id=nc-sa-2017-002">Creation of folders in read-only folders despite lacking permissions</a><br> +<a href="/security/advisory/?id=nc-sa-2017-003">Error message discloses existence of file in write-only share</a><br> +<a href="/security/advisory/?id=nc-sa-2017-004">Denial of Service attack</a><br> +<a href="/security/advisory/?id=nc-sa-2017-005">Bypassing quota limitation</a><br> +<a href="/security/advisory/?id=nc-sa-2017-006">Content-Spoofing in "files" app</a><br> <br/><p>Version 9.0.54</p> <a href="/security/advisory/?id=nc-sa-2016-006">SMB User Authentication Bypass</a><br> <a href="/security/advisory/?id=nc-sa-2016-007">Improper authorization check on removing shares</a><br> |