On 2014-08-15 12:38, Mihai Popescu wrote:
On June 29, there was a 5.5-stable update to www/owncloud to release
6.0.4 to fix a security issue.
The developers annoucement, from the webpage for this thingie ( i
don't know what the hell this software is doing):
--------------
Yeah, you were screwed!
There are a number of security issues that have been fixed in that
release -- if
I read their web page correctly -- including one which that project
perceives to be a
high-risk issue:
https://owncloud.org/security/advisory/?id=oc-sa-2014-018
There's also a big one, that earlier this month that project decided
*not to fix*. I don't know anything about OwnCloud either, but this
sort of issue is
one that should probably be addressed.
https://senderek.ie/archive/2014/owncloud_unencrypted_private_key_exposure.php
"An attacker, who is able to read the PHP session files by exploiting
another
web application that is running on the ownCloud server, will be able to
gather
the unencrypted private key of every ownCloud user. All encrypted files
that
are stored in a user's home directory can be decrypted with this RSA
private
key, stored in the PHP session files in plain text. If the user's
encrypted
files are synced to other devices or shared with other servers - for
hosting
or backup - an attacker will be able to decrypt all user data that is
being
intercepted, even if the attacker has no longer access to the server's
file
system."
