• From Markdown to RCE in Atom

    Recently I took a look at Atom, a text editor by GitHub. With a little bit of work, I was able to chain multiple vulnerabilities in Atom into an actual Remote Code Execution.

  • CSP, 'unsafe-eval' and jQuery

    At Nextcloud we do employ a pretty strict Content-Security-Policy (CSP). In case you need a quick explanation what CSP is, I’d suggest reading this older blog post of mine.

  • Nextcloud: Bruteforce, Two-Factor and more

    As you may have read in the official Nextcloud announcement we’re today releasing the Nextcloud 10 beta release. Besides adding a lot of awesome new features it also includes several security hardenings, such as adding support for a native bruteforce protection and Two-Factor Authentication.

  • Nextcloud, Bug Bounties and me

    It is a well-known fact that I’m a vocal supporter of Bug Bounty programs. I do believe that running a fair and engaging bug bounty program is a great addition to any software security process.

  • Security and Nextcloud 9

    We’re constantly working on adding more security features and hardenings to Nextcloud, after all it’s your data and it has to be protected properly. While the Nextcloud 9 release fixes a critical security issue (we have informed upstream about this but in the meanwhile recommend upgrading as soon as possible) it also adds another new very mighty security hardening.

  • Nextcloud and its planned update improvements

    In the past, the update experiences with ownCloud have been difficult. It was not always clear when updates would be released for the updater app or how to move to a new major release. Apps disappeared after an update or apps were updated to an incompatible version (e.g. with a broken PHP dependency), or simply the updater had a bug and broke the whole instance. We hear you and in fact, we share the same concerns! Our goal has always been to get you the best possible update experience but there was and is room for improvement.

  • Farewell, ownCloud Inc.

    I have been a contributor to the ownCloud project since the beginning of 2012. Starting as a volunteer my contributions were small. I joined the IRC channel, helped people out there and only over time I did start working with the code base more deeply.

  • Distribution packages considered insecure

    If you ever have run a Linux-based operating system you are probably aware of the way that software is usually distributed on them: Using a software repository. They certainly can make your life easier, but on the other hand they may seriously affect the security of your system.

  • Subtle vulnerabilities with PHP and cURL

    This post tries to prove that vulnerabilities can in fact be very subtle and that even people who master their toolkit and libraries can easily fall for them. It is based upon a vulnerability in ownCloud server fixed in June 2015.

  • ownCloud security development over the years

    It has been over three years now since ownCloud decided in 2012 to issue security advisories for each vulnerability following industry best practice. We take this very seriously and create advisories even for very minor issues which may lead to wrong conclusions. To address some concerns, let's take a deep look at the numbers.

  • Combining ownCloud and Google calendar for public room availability

    In my coworking space we are using ownCloud calendar to keep track of the availability of our conference room which we are also renting. However, we want also to be able to show publicly the room availability without disclosing personal information to the public. Even more limiting, since we use Jimdo to host our website we can’t execute any server-side code.

  • Security work going on in ownCloud

    Besides a lot of the performance work that was lately done as well as the stability and architectural improvements we work on, we are also striving to make ownCloud even more secure by improving our API as well as introducing new hardening features. In this blog post I am going to feature some of these changes.

  • Static JavaScript analysis with Burp

    The recent DOM-based Cross-Site-Script vulnerability in WordPress has made me wonder how this could have happened in days where automated static code scanners are even integrated in standard tools such as Burp Suite (the leading toolkit for web application security testing). In this blog post I go a little bit into details about the vulnerability and what can be done to catch such a vulnerability.

  • Content-Security-Policy and ownCloud

    New developers to ownCloud sometimes wonder why JavaScript code embedded in HTML templates is not executed in most browsers. The answer behind this lies in the Content-Security-Policy (CSP), a very powerful and interesting web security feature.

  • A tale about trusted_domains

    ownCloud is all about protecting your data and as part of our development cycle we’re proactively auditing and assessing the security of ownCloud. In fact, most security bugs that we fix are discovered by our very own security team and not by third-party researchers (although, keep those fixes coming third-party researchers!).

  • Diving into EGroupware: Object Injection

    Last weekend my colleague Andreas Fischer and I decided to take a look at EGroupware which is a PHP-based groupware used by quite some renowned organizations especially in the German speaking part of Europe (for example Universities). Our 4 hour short audit lead to the discovery and patching of a few vulnerabilities, in this post I’m going to feature one of these bugs. More specifically a PHP Object Injection.

  • Contributing back to open-source

    In the open-source community the so-called “Linus’s Law” by Eric Raymond is often cited as one of the reasons why open-source projects would be so much better and more bug-free than closed source alternatives. But is that actually the truth?