软餐获悉,开源的私有云盘软件 ownCloud 曝出一个漏洞,该漏洞可让攻击者获取管理员密码。上周,ownCloud 已经发布了关于该漏洞的信息,安全公司 Greynoise 表示已经看到了利用该漏洞进行攻击的案例。但这些攻击成功几率似乎都不高,漏洞利用尝试使用一个不存在的 URI,并且只能在运行在容器中的系统上起作用。该漏洞通过在 “graphapi” 中使用 phpinfo 函数来请求明文数据。ownCloud 建议用户无论如何都要更改密码和其他私人数据。此外,phpinfo 函数已被禁用。与 ownCloud 相关联的 Nextcloud 声称没有受到这个漏洞的影响。
The open source private cloud storage software ownCloud has exposed a vulnerability that allows attackers to obtain administrator passwords. It is reported that some actual attacks have already occurred. Last week, ownCloud released information about the vulnerability, and security company Greynoise stated that they have seen cases of attacks exploiting this vulnerability. However, the success rate of these attacks seems to be low as the exploit attempts to use a non-existent URI and only works on systems running in containers. The vulnerability requests plaintext data by using the phpinfo function in “graphapi”. ownCloud advises users to change their passwords and other personal data regardless. In addition, the phpinfo function has been disabled. Nextcloud, which is associated with ownCloud, claims not to be affected by this vulnerability.