Lukas' Random Thoughts

Category: open source

  • Combining ownCloud and Google calendar for public room availability

    In my coworking space we are using ownCloud calendar to keep track of the availability of our conference room which we are also renting. However, we want also to be able to show publicly the room availability without disclosing personal information to the public. Even more limiting, since we use Jimdo to host our website we can’t execute any server-side code.…

  • Security work going on in ownCloud

    Besides a lot of the performance work that was lately done as well as the stability and architectural improvements we work on, we are also striving to make ownCloud even more secure by improving our API as well as introducing new hardening features. In this blog post I am going to feature some of these changes. Those include: Please…

  • Static JavaScript analysis with Burp

    The recent DOM-based Cross-Site-Script vulnerability in WordPress has made me wonder how this could have happened in days where automated static code scanners are even integrated in standard tools such as Burp Suite (the leading toolkit for web application security testing). In this blog post I go a little bit into details about the vulnerability and what can be…

  • Content-Security-Policy and ownCloud

    New developers to ownCloud sometimes wonder why JavaScript code embedded in HTML templates is not executed in most browsers. The answer behind this lies in the Content-Security-Policy (CSP), a very powerful and interesting web security feature. While ownCloud uses CSP since version 5.0.0, which was released in March 2013 and was thus one of the…

  • A tale about trusted_domains

    ownCloud is all about protecting your data and as part of our development cycle we’re proactively auditing and assessing the security of ownCloud. In fact, most security bugs that we fix are discovered by our very own security team and not by third-party researchers (although, keep those fixes coming third-party researchers!). Many of the bugs with…

  • Diving into EGroupware: Object Injection

    Last weekend my colleague Andreas Fischer and I decided to take a look at EGroupware which is a PHP-based groupware used by quite some renowned organizations especially in the German speaking part of Europe (for example Universities). Our 4 hour short audit lead to the discovery and patching of a few vulnerabilities, in this post I’m going to feature one of…

  • Contributing back to open-source

    In the open-source community the so-called “Linus’s Law” by Eric Raymond is often cited as one of the reasons why open-source projects would be so much better and more bug-free than closed source alternatives. But is that actually the truth? Let’s take a look at said “law”: Given a large enough beta-tester and co-developer base,…