ownCloud vulnerability with maximum 10 severity score comes under “mass” exploitation | Ars Technica
“The vulnerability, which carries the maximum severity rating of 10, makes it possible to obtain passwords and cryptographic keys allowing administrative control of a vulnerable server by sending a simple Web request to a static URL”
OwnedCloud.
Thank you, thank you.
That’s why I keep nextcloud behind http basic auth. Don’t trust those software to expose them directly to Internet.
Basic auth is better than no auth, but it is absolutely not a recommended auth method these days
I use it on top of nextcloud auth
Oof size: LARGE.
Ist this also affecting ownCloud OCIS as well?
This is why I don’t expose anything other than my wireguard on my network
Honestly, all applications are vulnerable AF, especially the open source projects without a major team behind them. I work in a security research team and we find critical bugs like this in a weekly basis. Even in major projects which you would be scared to know about. I personally wouldn’t expose anything except SSH or a VPN, or if I have to expose a web app, it’s going inside a VLAN with very restrictive firewall rules, proper logging, and a reverse proxy enforcing authentication via an OIDC based IDP.
We generally spend a couple of days to a week before finding something critical allowing RCE.