[Owncloud] Session hijacking vulnerability caused by time based token-generation.
smoesorino at googlemail.com
Wed Dec 14 09:03:19 UTC 2011
I use owncloud at my own webspace and since a week I have started to teach
myself some web-security stuff. Because of the short time I'm into this
topic, I was even more surprised that I actually found a vulnerability in
The description can be found here:
The fact you are open source and everyone can see your token generation
MUST lead to a random number token generation. If owncloud really wants to
be a multi-user platform this is a serious vulnerability. Once you know
what time a user logged in, it's easy to spam a bruteforce attack to
recreated the corresponding token. This gets even more relevant of you're
willing to implement such things as multi-user file access at the same
time. Operating with that, one can easily determine online activities of
I just started to investigate in security and the security of owncloud, I
hope I'll find some more exploits before someone else does :)
Best wishes and good work so far,
Ps.: Appending the user name to the token before it's hashed seems
ridiculous in an open source implementation.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owncloud