A New Vulnerability Discovered in OwnCloud
During an assessment, Max and Justin found a user enumeration vulnerability in the sharing functionality. This vulnerability allows an attacker to obtain a list of all registered users on the same ownCloud instance via the auto-complete dropdown. When using the web interface, at least 3 characters of the name or email of the share-receiver (“Sharee”) must match an existing account to trigger the auto-complete.
Although, due to a bug in the underlaying API-endpoint an attacker can enumerate all users in a single request by entering three whitespaces or an Asterix(*). Secondary the retrieval of all users on a large instance could cause higher than average load on the instance which could result in a so-called denial-of-service.