0
submitted 11 months ago by LordOthello@alien.top to c/main@selfhosted.forum

ownCloud vulnerability with maximum 10 severity score comes under “mass” exploitation | Ars Technica

"The vulnerability, which carries the maximum severity rating of 10, makes it possible to obtain passwords and cryptographic keys allowing administrative control of a vulnerable server by sending a simple Web request to a static URL"

top 24 comments
sorted by: hot top controversial new old
[-] idreamofjeanshorts@alien.top 3 points 11 months ago

OwnedCloud.

Thank you, thank you.

[-] pentesticals@alien.top 2 points 11 months ago

Honestly, all applications are vulnerable AF, especially the open source projects without a major team behind them. I work in a security research team and we find critical bugs like this in a weekly basis. Even in major projects which you would be scared to know about. I personally wouldn’t expose anything except SSH or a VPN, or if I have to expose a web app, it’s going inside a VLAN with very restrictive firewall rules, proper logging, and a reverse proxy enforcing authentication via an OIDC based IDP.

We generally spend a couple of days to a week before finding something critical allowing RCE.

[-] hypercyanate@alien.top 2 points 11 months ago

This is why I don't expose anything other than my wireguard on my network

[-] pastudan@alien.top 1 points 11 months ago

Also worth noting here: Exposing wireguard is quite safe because the daemon doesn’t even respond unless it recognizes your key. It just drops the UDP packet otherwise.

Nothing is unhackable, but this is damn near close. Such a brilliant design.

[-] amarao_san@alien.top 1 points 11 months ago

POST /api/admin/unauthorized_sudo

Oh, no, it's PhpGetInfo.php, sorry, my bad.

[-] IdiocracyToday@alien.top 1 points 11 months ago

Does this affect Nextcloud?

[-] jovialfaction@alien.top 1 points 11 months ago

That's why I keep nextcloud behind http basic auth. Don't trust those software to expose them directly to Internet.

[-] ShapeShifter499@alien.top 1 points 11 months ago

This would prevent nextcloud sync and phone apps from proper access wouldn't it?

[-] LuckyHedgehog@alien.top 1 points 11 months ago

Basic auth is better than no auth, but it is absolutely not a recommended auth method these days

[-] jovialfaction@alien.top 1 points 11 months ago

I use it on top of nextcloud auth

[-] LuckyHedgehog@alien.top 1 points 11 months ago

Basic auth is a base64 of your login credentials, might as well be plain text. You should absolutely not be using basic auth if you have other options

[-] Silencer306@alien.top 1 points 11 months ago

Like Authelia?

[-] idreamofjeanshorts@alien.top 1 points 11 months ago

Might be wise to use Authelia in front of any web apps as an extra layer.

[-] darkcyde_@alien.top 1 points 11 months ago
[-] Ystebad@alien.top 1 points 11 months ago

Yes hello, I’d like to biggie size my oof

[-] Illeazar@alien.top 1 points 11 months ago

Oof size: 10 (maximum oof size)

[-] martinjh99@alien.top 1 points 11 months ago

Does this pertain to Nextcloud as well??

[-] Arghblarg@lemmy.ca 1 points 11 months ago

As article states, you're not vulnerable if you don't have the 'graphapi' app installed, whatever that is. Checked my nextcloud instance and it's not there.

[-] DryPhilosopher8168@alien.top 1 points 11 months ago

I can't stress this enough, keep your private and enterprise cloud behind a vpn. Especially if you are a part time Admin with limited resources. Sooner or later you will be hacked.

[-] Silencer306@alien.top 1 points 11 months ago

So like a wireguard and Authelia?

[-] the-last-user@alien.top 1 points 11 months ago

Thanks, OP. Now if only I could figure out how to change the SQLite database password in ownCloud 10.10 (it's not stored in config.php, but there is a "passwordsalt" configured there).

[-] chevereto@alien.top 1 points 11 months ago

I'm surprised that ownCloud didn't use a single PHP entrypoint. In PHP software you must restrict access to .php files, that's front controller basis. They really did bad and I'm very disappointed.

[-] sonny4redit@alien.top 1 points 11 months ago

Ist this also affecting ownCloud OCIS as well?

[-] CoffeeCapy@alien.top 1 points 11 months ago

To my understanding, OCIS is a complete rewrite of OwnCloud and was written in Go. So my intuition tells me it's not but I could be wrong.

this post was submitted on 29 Nov 2023
0 points (50.0% liked)

Self-Hosted Main

504 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS