[Owncloud] Session hijacking vulnerability caused by time based token-generation.

Smoes Orino smoesorino at googlemail.com
Wed Dec 14 09:03:19 UTC 2011


Hey folks,

I use owncloud at my own webspace and since a week I have started to teach
myself some web-security stuff. Because of the short time I'm into this
topic, I was even more surprised that I actually found a vulnerability in
owncloud:

The description can be found here:
http://www.smoesalicious.de/sec.html

The fact you are open source and everyone can see your token generation
MUST lead to a random number token generation. If owncloud really wants to
be a multi-user platform this is a serious vulnerability. Once you know
what time a user logged in, it's easy to spam a bruteforce attack to
recreated the corresponding token. This gets even more relevant of you're
willing to implement such things as multi-user file access at the same
time. Operating with that, one can easily determine online activities of
other users.

I just started to investigate in security and the security of owncloud, I
hope I'll find some more exploits before someone else does :)


Best wishes and good work so far,

Simon


Ps.: Appending the user name to the token before it's hashed seems
ridiculous in an open source implementation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20111214/3022df01/attachment.html>


More information about the Owncloud mailing list