CVE-2012-5609
Description
Incomplete blacklist in ownCloud 4.5.1 and earlier allows authenticated users to upload a ZIP containing a malicious mount.php file, enabling arbitrary PHP code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Incomplete blacklist in ownCloud 4.5.1 and earlier allows authenticated users to upload a ZIP containing a malicious mount.php file, enabling arbitrary PHP code execution.
Vulnerability
A code execution vulnerability exists in the user migration import functionality of ownCloud versions prior to 4.5.2. The incomplete blacklist in lib/migrate.php fails to block the upload and extraction of a specially crafted mount.php file from a ZIP archive. When a user imports migration data (ZIP file), the mount.php file is placed within the user's data directory and can be executed by the web server, leading to arbitrary PHP code execution. The issue is addressed in ownCloud 4.5.2 [1][4].
Exploitation
An authenticated remote attacker with the ability to access the migration import feature (users with permission to import account data) can exploit this vulnerability. The attacker uploads a crafted ZIP archive containing a malicious mount.php file along with an export_info.json file. The import process extracts the ZIP content and copies files to the user's data directory. The attacker then accesses the uploaded mount.php via the web server, which executes the PHP code within it [2][3].
Impact
Successful exploitation allows the attacker to execute arbitrary PHP code on the ownCloud server. This can lead to complete compromise of the ownCloud instance, including unauthorized access to all stored data, modification or deletion of files, and potential lateral movement within the hosting environment. The attacker gains the privileges of the web server user, which typically has significant access to the server's file system and database [1].
Mitigation
Users should upgrade to ownCloud version 4.5.2 or later, which contains the fix. The patch, visible in commit e8a0cea and 4619c66, improves file handling during migration by properly scanning and copying only allowed directories and removing the insecure custom recursive copy routine [2][3]. No reliable workaround exists for unpatched versions; administrators should disable or restrict access to the migration import functionality if upgrading is not immediately possible. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
17cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*
Patches
2e8a0cea4619c66Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- owncloud.org/security/advisories/oc-sa-2012-004/nvdPatchVendor Advisory
- github.com/owncloud/core/commit/4619c66nvdPatch
- github.com/owncloud/core/commit/e8a0ceanvdPatch
- secunia.com/advisories/51357nvdVendor Advisory
- owncloud.org/changelog/nvd
- www.openwall.com/lists/oss-security/2012/11/30/3nvd
News mentions
0No linked articles in our index yet.