VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 26, 2015· Updated May 6, 2026

CVE-2015-6500

CVE-2015-6500

Description

Directory traversal in ownCloud Server allows authenticated users to list arbitrary directories and potentially cause denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Directory traversal in ownCloud Server allows authenticated users to list arbitrary directories and potentially cause denial of service.

Vulnerability

A directory traversal vulnerability exists in ownCloud Server versions before 8.0.6 and 8.1.x before 8.1.1. The flaw resides in the dir parameter of the script index.php/apps/files/ajax/scan.php. By supplying a crafted .. (dot dot) sequence in this parameter, an authenticated user can traverse outside the intended directory scope. The vulnerability is classified as CWE-548 (Information Exposure Through Directory Listing) [1].

Exploitation

An attacker must have a valid user account on the ownCloud instance. The attack is performed by sending an HTTP GET request to the vulnerable endpoint with a manipulated dir parameter containing path traversal sequences, such as ../../../. The request also requires a valid request token. The server then returns directory listings that include paths outside the user's own storage, potentially revealing the directory structure of other users or the underlying file system [1].

Impact

Successful exploitation allows the attacker to enumerate directory contents on the server, leading to information disclosure of file and folder names. Additionally, if a deeply nested directory is specified, the indexing process can consume significant CPU resources, potentially resulting in a denial-of-service condition [1].

Mitigation

The vulnerability is fixed in ownCloud versions 8.0.6 and 8.1.1, released on August 11, 2015. Users should upgrade to these or later versions. No workaround is documented in the available reference [1].

References
  1. https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-048.txt

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

15
  • OwnCloud/Owncloudinferred
    Range: <8.0.6,<8.1.1
  • OwnCloud/Server14 versions
    cpe:2.3:a:owncloud:owncloud_server:7.0.0:*:*:*:*:*:*:*+ 13 more
    • cpe:2.3:a:owncloud:owncloud_server:7.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:7.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:7.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:7.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:7.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:7.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:7.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:7.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:8.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:8.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:8.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:8.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:8.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:8.1.0:*:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing path sanitization in the `dir` parameter allows directory traversal outside the user's restricted storage directory."

Attack vector

A remote authenticated user sends an HTTP GET request to `/index.php/apps/files/ajax/scan.php` with a `dir` parameter containing `../` sequences, such as `dir=../../../` [ref_id=1]. The application does not restrict the path to the user's own storage directory, allowing the attacker to enumerate directories outside their authorized scope [CWE-22]. By targeting a sufficiently deep directory tree, the attacker can also cause excessive CPU consumption as a denial-of-service condition [ref_id=1].

Affected code

The vulnerable endpoint is `index.php/apps/files/ajax/scan.php`, which accepts a `dir` parameter. The script uses this user-supplied path to index files without validating or sanitizing the path for directory traversal sequences [ref_id=1].

What the fix does

The advisory states the fix was applied in ownCloud versions 8.0.6 and 8.1.1 [ref_id=1]. While the advisory does not include a patch diff, the remediation involves properly sanitizing the `dir` parameter to prevent path traversal — ensuring that user-supplied paths are resolved within the user's own restricted storage directory rather than the underlying filesystem root [CWE-22].

Preconditions

  • authAttacker must have a valid ownCloud user account (authenticated).
  • networkThe vulnerable endpoint must be reachable over HTTP/HTTPS.
  • inputAttacker supplies a crafted `dir` parameter containing `../` sequences.

Reproduction

Send the following HTTP GET request as an authenticated user:

``` GET /index.php/apps/files/ajax/scan.php?force=true&dir=../../../&requesttoken=<valid_token> HTTP/1.1 Host: <target> ```

The server response will include `event: folder` lines listing directories outside the user's own storage, such as other users' directories and system paths [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.