Lukas' Random Thoughts

Category: open source

  • From Markdown to RCE in Atom

    Recently I took a look at Atom, a text editor by GitHub. With a little bit of work, I was able to chain multiple vulnerabilities in Atom into an actual Remote Code Execution. The vulnerabilities have been fixed in the 1.21.1 release on October 12th, 2017 after I reported it via their HackerOne program. In case you want to…

  • CSP, ‘unsafe-eval’ and jQuery

    At Nextcloud we do employ a pretty strict Content-Security-Policy (CSP). In case you need a quick explanation what CSP is, I’d suggest reading this older blog post of mine. One of the caveats with the implementation in Nextcloud is that we had to allow ‘unsafe-eval’ because of our historically grown code base. For example, we use handlebars.js for…

  • Nextcloud and its planned update improvements

    In the past, the update experiences with ownCloud have been difficult. It was not always clear when updates would be released for the updater app or how to move to a new major release. Apps disappeared after an update or apps were updated to an incompatible version (e.g. with a broken PHP dependency), or simply…

  • Nextcloud: Bruteforce, Two-Factor and more

    As you may have read in the official Nextcloud announcement we’re today releasing the Nextcloud 10 beta release. Besides adding a lot of awesome new features it also includes several security hardenings, such as adding support for a native bruteforce protection and Two-Factor Authentication. Nextcloud commits to keeping your data secure, we’re even going so far to…

  • Nextcloud, Bug Bounties and me

    It is a well-known fact that I’m a vocal supporter of Bug Bounty programs. I do believe that running a fair and engaging bug bounty program is a great addition to any software security process. My personal experiences with Bug Bounties go back to the end of 2011 where somebody made me aware of the…

  • Security and Nextcloud 9

    We’re constantly working on adding more security features and hardenings to Nextcloud, after all it’s your data and it has to be protected properly. While the Nextcloud 9 release fixes a critical security issue (we have informed upstream about this but in the meanwhile recommend upgrading as soon as possible) it also adds another new…

  • Farewell, ownCloud Inc.

    I have been a contributor to the ownCloud project since the beginning of 2012. Starting as a volunteer my contributions were small. I joined the IRC channel, helped people out there and only over time I did start working with the code base more deeply. The community aspect has always been my main fascination. Seeing people from…

  • Distribution packages considered insecure

    If you ever have run a Linux-based operating system you are probably aware of the way that software is usually distributed on them: Using a software repository. Repositories are great for numerous reasons. Want to install an application on Debian? Easy. Just execute apt-get install ffmpeg and ffmpeg has been installed. Updating? A quick apt-get update plus apt-get upgrade and all is…

  • Subtle vulnerabilities with PHP and cURL

    This post tries to prove that vulnerabilities can in fact be very subtle and that even people who master their toolkit and libraries can easily fall for them. It is based upon a vulnerability in ownCloud server fixed in June 2015. cURL is probably known to most readers of this blog. If not: It is a library…

  • ownCloud security development over the years

    A deep look at the numbers It has been over three years now since ownCloud decided in 2012 to issue security advisories for each vulnerability at owncloud.org/security/ following industry best practice. We take this very seriously and create advisories even for very minor issues. What I have noticed is that people aren’t certain how to take this…

Create a website or blog at WordPress.com