[Owncloud] Session hijacking vulnerability caused by time based token-generation.

Robin Appelman icewind1991 at gmail.com
Wed Dec 14 12:32:56 UTC 2011

I changed the token to also be based on the password of the user in
git master and stable, this should be enough to prevent against this
kind of attacks
since trying to brute-force the token while you know the password
seems kind of redundant :)

Despite the maybe unfortunate way of making the issue public, many
thanks for taking a look into ownCloud security.

- Robin Appelman

On Wed, Dec 14, 2011 at 10:43, Marc Muehlfeld
<Marc.Muehlfeld at medizinische-genetik.de> wrote:
> Hi,
> maybe it's better to send the details of vulnerables only to the team
> members and not to the list. If to detailed information are public it
> increases the risk of attacks until a fix is available.
> Maybe the team can provide a separate email address for security on the
> homepage until a bugtracker exists which allows to mark bugs as
> not-public-visible.
> Regards,
> Marc
> _______________________________________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud

More information about the Owncloud mailing list