Security News > 2023 > November > Critical bug in ownCloud file sharing app exposes admin passwords
Open source file sharing software ownCloud is warning of three critical-severity security vulnerabilities, including one that can expose administrator passwords and mail server credentials.
OwnCloud is an open-source file sync and sharing solution designed for individuals and organizations wishing to manage and share files through a self-hosted platform.
Impacting graphapi 0.2.0 through 0.3.0, the problem arises from the app's dependency on a third-party library that exposes PHP environment details through a URL, exposing ownCloud admin passwords, mail server credentials, and license keys.
Php' file, disable the 'phpinfo' function in Docker containers, and change potentially exposed secrets like the ownCloud admin password, mail server, database credentials, and Object-Store/S3 access keys.
"Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern."
Due to this, it's critical for ownCloud administrators to immediately apply the recommended fixes and perform the library updates as soon as possible to mitigate these risks.