Web application abuses : ownCloud Multiple Code Execution & Local File Disclosure Vulnerabilities (May 2014)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.804280

Category: Web application abuses

Title: ownCloud Multiple Code Execution & Local File Disclosure Vulnerabilities (May 2014)

Summary: ownCloud is prone to multiple arbitrary code execution and local file disclosure vulnerabilities.

Description: Summary:
ownCloud is prone to multiple arbitrary code execution and local file disclosure vulnerabilities.

Vulnerability Insight:
Multiple flaws are due to:

- Improper verification of user-uploaded files by apps/contacts/import.php and
apps/contacts/ajax/uploadimport.php scripts.

- Insufficient sanitization of user-supplied input to lib/migrate.php script.

Vulnerability Impact:
Successful exploitation will allow remote attackers to execute arbitrary PHP
code by uploading a '.htaccess' file and gain access to arbitrary files.

Affected Software/OS:
ownCloud Server before version 4.0.13 and 4.5.x before version 4.5.8

Solution:
Update to version 4.0.13 or 4.5.8 or later.

CVSS Score:
6.5

CVSS Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2013-1850
Common Vulnerability Exposure (CVE) ID: CVE-2013-1851

Copyright Copyright (C) 2014 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.804280
Category:	Web application abuses
Title:	ownCloud Multiple Code Execution & Local File Disclosure Vulnerabilities (May 2014)
Summary:	ownCloud is prone to multiple arbitrary code execution and local file disclosure vulnerabilities.
Description:	Summary: ownCloud is prone to multiple arbitrary code execution and local file disclosure vulnerabilities. Vulnerability Insight: Multiple flaws are due to: - Improper verification of user-uploaded files by apps/contacts/import.php and apps/contacts/ajax/uploadimport.php scripts. - Insufficient sanitization of user-supplied input to lib/migrate.php script. Vulnerability Impact: Successful exploitation will allow remote attackers to execute arbitrary PHP code by uploading a '.htaccess' file and gain access to arbitrary files. Affected Software/OS: ownCloud Server before version 4.0.13 and 4.5.x before version 4.5.8 Solution: Update to version 4.0.13 or 4.5.8 or later. CVSS Score: 6.5 CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2013-1850 Common Vulnerability Exposure (CVE) ID: CVE-2013-1851
Copyright	Copyright (C) 2014 Greenbone AG