A recent vulnerability discovered in ownCloud's graphapi versions .2.x before .2.1 and .3.x before .3.1 highlights a significant security risk. The vulnerability is caused by the GetPhpInfo.php library used by graphapi, which exposes sensitive PHP environment details, including all web server environment variables. In containerized deployments, this issue can lead to the disclosure of ownCloud admin passwords, mail server credentials, and license keys. It is essential to note that simply disabling the graphapi app will not mitigate the vulnerability; further action is necessary.

Original References

- ownCloud Advisory
- NVD CVE Details

Exploit Details

The vulnerability lies in the graphapi app's use of the GetPhpInfo.php library. This library offers a URL that, when accessed, reveals the PHP environment's complete configuration details (phpinfo).

Code Snippet from GetPhpInfo.php

header('Content-type: text/html; charset=utf-8');
echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1. Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">';;
echo "<html xmlns='http://www.w3.org/1999/xhtml'; xml:lang='en' lang='en'>";
echo '<head>';
echo "<title>PHP Info</title>";
phpinfo();
echo '</head>';
echo '</html>';

This code snippet shows that when the URL provided by GetPhpInfo.php is accessed, all PHP environment details, including web server environment variables, are displayed, potentially exposing sensitive data to attackers.

In particular, this vulnerability affects containerized ownCloud deployments. Environment variables in these deployments often include sensitive configuration data like ownCloud admin passwords, mail server credentials, and license keys. Access to this information can allow attackers to compromise the ownCloud system, gain unauthorized access to sensitive data, and initiate further attacks.

It is important to note that Docker containers from before February 2023 are not vulnerable to the credential disclosure aspect of this vulnerability.

Solution

To address this vulnerability, update the ownCloud graphapi app to the latest version, .2.1 for the .2.x branch or .3.1 for the .3.x branch. It is crucial to apply the update, as merely disabling the graphapi app does not eliminate the risk associated with this vulnerability. The updated versions of graphapi address the issue by removing the GetPhpInfo.php library and no longer exposing the sensitive PHP environment details.

In conclusion, this ownCloud graphapi vulnerability (CVE-2023-49103) poses a significant security risk for containerized environments and should be mitigated promptly. Update the graphapi app to the latest version to ensure the safe operation of your ownCloud system and protect sensitive configuration data from unauthorized access.

Timeline

Published on: 11/21/2023 22:15:08 UTC
Last modified on: 12/02/2023 00:22:46 UTC