User Impersonation Vulnerability found in ownCloud v0.1.2

ownCloud is a client-server software which grants administrators several privileges such as carrying out commands by acting as the intended user, essentially impersonating another user to carry out desired tasks. For security reasons, group administrators are only able to do things under the umbrella of fellow group member users. Despite this measure being put in place, the exploitation of a crucial user impersonation authorization bypass attack.

The vulnerability was first discovered by Thierry Viaccoz on the 15th of March. The first vendor notification was sent on the 16th of March and the vendor responded back with a message of acknowledgement the very same day. Just over a month later, the corrected version of the software version 0.2.0 was released on the 17th of March and a public disclosure date for the matter was set to the 29th of August which was just a few days ago.

This vulnerability affects the ownCloud version 0.1.2. Version 0.2.0 is found unaffected. Other versions of ownClouc have not yet been tested but it is suspected that older versions may be vulnerable to the same defect as in version 0.1.2.

This high risk vulnerability has not been assigned a CVE identification label as of yet. Its case is being followed nonetheless under the CSNS ID label CSNC-2018-015. The vulnerability is remotely exploitable, and it affects ownCloud’s Impersonate.

To recreate this attack, you must first create two groups (g1 and g2). Next, you must create four users using these groups: test1, group 1, group admin = group 1; test 2, group 1, group admin = no group; test 3, group 2, group admin = group 2; test 4, group 2, group admin = no group.

The most significant mitigation, work around, and / or fix put out for this issue is an advisory to users to check other people’s authorization constantly in order to stop group administrators from impersonating other people or groups.

Aaron Michael


Aaron Micheal is an electrical engineer by profession and a hard-core gamer by passion. His exceptional experience with computer hardware and profound knowledge in gaming makes him a very competent writer. What makes him unique is his growing interest in the state of the art technologies that motivates him to learn, adopt, and integrate latest techniques into his work.