A few weeks ago there was a bit of a hype about ownCloud when they released version 3.0.1. I decided to give it a spin, here is what I found.
Note: I contacted the development team earlier and these vulnerabilities have been fixed in the meantime with version 3.0.2, although I have not confirmed this myself due to lack of time.
XSS in files/download.php
XSS in files/index.php
Here is how:
1) Create a new folder on http://localhost/owncloud/files/index.php – any name will do, I used “PoC”
2) Share this folder with your victim or the victims group
3) Switch to http://localhost/owncloud/files/index.php?dir=/PoC
4) Create a folder, called:
x"> <body onload=alert(1)><x="
5) Send that link to your victim:
It may be possible to create the folder directly in /, however I couldn’t get that folder shared with other users. But since it gets automatically shared if the parent folder is shared, I didn’t invest much time into that.
XSS in apps/contacts/index.php
I found another XSS flaw in the Contacts function, creating a contact and adding this in any field:
will also execute. However, since you cannot share contacts between users (or can you?) I believe this is a minor problem.