CVE-2014-2044

Name of the Vulnerable Software and Affected Versions ownCloud versions prior to 5.0

Description The issue allows remote authenticated users to bypass access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter. This can be achieved by using ADS syntax, such as .htaccess::$DATA, to upload a PHP program, thus enabling the execution of arbitrary code.

Recommendations For ownCloud versions prior to 5.0, update to version 5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the ajax/upload.php endpoint to minimize the risk of exploitation. Avoid using the filename parameter in the affected endpoint until the issue is resolved.