Lukas' Random Thoughts

Category: web security

  • From Markdown to RCE in Atom

    Recently I took a look at Atom, a text editor by GitHub. With a little bit of work, I was able to chain multiple vulnerabilities in Atom into an actual Remote Code Execution. The vulnerabilities have been fixed in the 1.21.1 release on October 12th, 2017 after I reported it via their HackerOne program. In case you want to…

  • CSP, ‘unsafe-eval’ and jQuery

    At Nextcloud we do employ a pretty strict Content-Security-Policy (CSP). In case you need a quick explanation what CSP is, I’d suggest reading this older blog post of mine. One of the caveats with the implementation in Nextcloud is that we had to allow ‘unsafe-eval’ because of our historically grown code base. For example, we use handlebars.js for…

  • Nextcloud: Bruteforce, Two-Factor and more

    As you may have read in the official Nextcloud announcement we’re today releasing the Nextcloud 10 beta release. Besides adding a lot of awesome new features it also includes several security hardenings, such as adding support for a native bruteforce protection and Two-Factor Authentication. Nextcloud commits to keeping your data secure, we’re even going so far to…

  • Security and Nextcloud 9

    We’re constantly working on adding more security features and hardenings to Nextcloud, after all it’s your data and it has to be protected properly. While the Nextcloud 9 release fixes a critical security issue (we have informed upstream about this but in the meanwhile recommend upgrading as soon as possible) it also adds another new…

  • Subtle vulnerabilities with PHP and cURL

    This post tries to prove that vulnerabilities can in fact be very subtle and that even people who master their toolkit and libraries can easily fall for them. It is based upon a vulnerability in ownCloud server fixed in June 2015. cURL is probably known to most readers of this blog. If not: It is a library…

  • ownCloud security development over the years

    A deep look at the numbers It has been over three years now since ownCloud decided in 2012 to issue security advisories for each vulnerability at owncloud.org/security/ following industry best practice. We take this very seriously and create advisories even for very minor issues. What I have noticed is that people aren’t certain how to take this…

  • Security work going on in ownCloud

    Besides a lot of the performance work that was lately done as well as the stability and architectural improvements we work on, we are also striving to make ownCloud even more secure by improving our API as well as introducing new hardening features. In this blog post I am going to feature some of these changes. Those include: Please…

  • Static JavaScript analysis with Burp

    The recent DOM-based Cross-Site-Script vulnerability in WordPress has made me wonder how this could have happened in days where automated static code scanners are even integrated in standard tools such as Burp Suite (the leading toolkit for web application security testing). In this blog post I go a little bit into details about the vulnerability and what can be…

  • Content-Security-Policy and ownCloud

    New developers to ownCloud sometimes wonder why JavaScript code embedded in HTML templates is not executed in most browsers. The answer behind this lies in the Content-Security-Policy (CSP), a very powerful and interesting web security feature. While ownCloud uses CSP since version 5.0.0, which was released in March 2013 and was thus one of the…

  • A tale about trusted_domains

    ownCloud is all about protecting your data and as part of our development cycle we’re proactively auditing and assessing the security of ownCloud. In fact, most security bugs that we fix are discovered by our very own security team and not by third-party researchers (although, keep those fixes coming third-party researchers!). Many of the bugs with…

Create a website or blog at WordPress.com