OwnCloud phpinfo Information Disclosure (CVE-2023-49103)
Description
CVE-2023-49103 is a critical information disclosure vulnerability in containerized OwnCloud deployments where the graphapi application exposes a phpinfo endpoint (GetPhpInfo.php). This endpoint reveals sensitive environment variables including admin passwords, mail server credentials, and license keys. The vulnerability affects OwnCloud graphapi versions prior to 0.2.1 and 0.3.0, allowing unauthenticated remote attackers to access this information without authentication.
Remediation
1. Immediately upgrade OwnCloud graphapi to version 0.2.1, 0.3.0, or later, which removes the vulnerable GetPhpInfo.php endpoint.
2. If immediate upgrade is not possible, manually remove or restrict access to the GetPhpInfo.php file in the graphapi application directory.
3. Rotate all credentials that may have been exposed, including admin passwords, database credentials, mail server passwords, and API keys stored in environment variables.
4. Review access logs for requests to /var/www/owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php to identify potential exploitation.
5. Verify remediation by attempting to access the phpinfo endpoint - it should return a 404 error after patching.