[owncloud-devel] ownCloud solutions in *other* projects

Lukas Reschke lukas at statuscode.ch
Thu Jan 8 22:06:53 GMT 2015


> In order to celebrate ownCloud's 5th birthday (and the anniversary of
> my 3-year engagement with ownCloud), I have planned to write a blog
> post on how the development of ownCloud has benefited other software
> projects (not necessarily open source projects).

ownCloud’s security team has reported quite some vulnerabilities in well known and widely used 3rdparty libraries. Most notably:

- ZendFramework: http://framework.zend.com/security/advisory/ZF2014-01
- SabreDAV: http://www.cvedetails.com/cve/CVE-2013-1939/ + http://www.cvedetails.com/cve/CVE-2014-2055/
- TCPDF: https://github.com/tcpdf-clone/tcpdf/commit/8ec040b3ccedc2a0150a7b6b46c18c59d932ad59
- GetID3: https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc (also used by Wordpress and so on…)
- PHPExcel: https://github.com/PHPOffice/PHPExcel/commit/c243bcb8ad2911cdbd0c272b284a516b444e606a
- PHPDocX: http://www.cvedetails.com/cve/CVE-2014-2056/

Also in quite some other components but those are not that widely used as the ones pointed out above. Also every one of the bugs pointed out above allowed an attacker to either execute arbitrary PHP Code or read arbitrary files from the system :-)

- Lukas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4139 bytes
Desc: not available
URL: <http://mailman.owncloud.org/pipermail/devel/attachments/20150108/92092941/attachment.p7s>


More information about the Devel mailing list