Hey folks, I use owncloud at my own webspace and since a week I have started to teach myself some web-security stuff. Because of the short time I'm into this topic, I was even more surprised that I actually found a vulnerability in owncloud:
The description can be found here: http://www.smoesalicious.de/sec.html The fact you are open source and everyone can see your token generation MUST lead to a random number token generation. If owncloud really wants to be a multi-user platform this is a serious vulnerability. Once you know what time a user logged in, it's easy to spam a bruteforce attack to recreated the corresponding token. This gets even more relevant of you're willing to implement such things as multi-user file access at the same time. Operating with that, one can easily determine online activities of other users. I just started to investigate in security and the security of owncloud, I hope I'll find some more exploits before someone else does :) Best wishes and good work so far, Simon Ps.: Appending the user name to the token before it's hashed seems ridiculous in an open source implementation.
_______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
