VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 5, 2012· Updated Apr 29, 2026

CVE-2012-4389

CVE-2012-4389

Description

A vulnerability in ownCloud's migrate.php allows remote attackers to execute arbitrary code by uploading a malicious .htaccess file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A vulnerability in ownCloud's migrate.php allows remote attackers to execute arbitrary code by uploading a malicious .htaccess file.

Vulnerability

Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before version 4.0.7 allows remote attackers to upload a crafted .htaccess file via an import.zip archive. The affected code path is in the copy_r function, which did not exclude .htaccess files from being copied during the import process [2]. This enables the attacker to bypass access controls and execute arbitrary PHP code.

Exploitation

An attacker needs network access to the ownCloud instance and the ability to upload an import archive (e.g., import.zip). The attacker crafts a ZIP file containing a malicious .htaccess file (e.g., to enable arbitrary PHP execution) and a PHP file. Upon importing the ZIP, the copy_r function copies the .htaccess file into the destination directory, therefore overriding any existing restrictions. The attacker can then directly access the uploaded PHP file to achieve code execution [1].

Impact

Successful exploitation allows remote attackers to execute arbitrary code on the ownCloud server with the privileges of the web server. This can lead to full compromise of the ownCloud installation, including data theft, modification, or further server-side attacks.

Mitigation

Fixed in ownCloud version 4.0.7, released in September 2012. Users should update to 4.0.7 or later. The fix adds .htaccess to the list of skipped files in the copy_r function [2]. No workaround is available for earlier versions.

References
  1. oss-security - Re: CVE - ownCloud
  2. Also check some other files · owncloud/core@4fd069b

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

12
  • OwnCloud/Owncloud2 versions
    cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*range: <=4.0.6
    • (no CPE)range: <4.0.7
  • OwnCloud/Server10 versions
    cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*

Patches

1
4fd069b47906
https://github.com/owncloud/corevia nvd-ref
commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.