[Owncloud] Session hijacking vulnerability caused by time based token-generation.
thomas.mueller at tmit.eu
Wed Dec 14 13:10:37 UTC 2011
will here be a patch release 2.0.2?
Me - being the maintainer of the Debian package - has a high interest in fixing security issues asap.
(Even owncloud has not yet fully entered Debian ....)
Thomas Müller E-Mail: thomas.mueller at tmit.eu
Am Mittwoch, den 14.12.2011 um 13:32 schrieb Robin Appelman:
> I changed the token to also be based on the password of the user in
> git master and stable, this should be enough to prevent against this
> kind of attacks
> since trying to brute-force the token while you know the password
> seems kind of redundant :)
> Despite the maybe unfortunate way of making the issue public, many
> thanks for taking a look into ownCloud security.
> - Robin Appelman
> On Wed, Dec 14, 2011 at 10:43, Marc Muehlfeld
> <Marc.Muehlfeld at medizinische-genetik.de> wrote:
> > Hi,
> > maybe it's better to send the details of vulnerables only to the team
> > members and not to the list. If to detailed information are public it
> > increases the risk of attacks until a fix is available.
> > Maybe the team can provide a separate email address for security on the
> > homepage until a bugtracker exists which allows to mark bugs as
> > not-public-visible.
> > Regards,
> > Marc
> > _______________________________________________
> > Owncloud mailing list
> > Owncloud at kde.org
> > https://mail.kde.org/mailman/listinfo/owncloud
> Owncloud mailing list
> Owncloud at kde.org
More information about the Owncloud