CVE-2023-49103

CRITICAL KEV NUCLEI LAB

ownCloud Phpinfo Reader

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2023-49103 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 30, 2023. EIP tracks 5 public exploits from researchers including creacitysec, dyeat, d0rb, including a Metasploit module auxiliary/gather/owncloud_phpinfo_reader. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Python script that scans for the presence of phpinfo() output in URLs, specifically targeting CVE-2023-49103 by appending /.css to bypass .htaccess restrictions. It uses multi-threading for efficiency and logs valid URLs to an output file.

Description

An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.

Exploits (5)

nomisec SCANNER 30 stars
by creacitysec · infoleak
https://github.com/creacitysec/CVE-2023-49103

This repository contains a Python script that scans for the presence of phpinfo() output in URLs, specifically targeting CVE-2023-49103 by appending /.css to bypass .htaccess restrictions. It uses multi-threading for efficiency and logs valid URLs to an output file.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: ownCloud (specific version not specified)
No auth needed
Prerequisites: List of target URLs
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github SCANNER
by dyeat · pythonpoc
https://github.com/dyeat/cve-reproduction/tree/main/OwnCloud/OwnCloud/CVE-2023-49103

The repository contains a Python script that checks for the presence of a vulnerable endpoint in ownCloud (CVE-2023-49103) by sending an HTTP request to a specific path and verifying if the response contains 'phpinfo()'. It does not exploit the vulnerability but scans for its existence.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: ownCloud (core 10.6.0 to 10.13.0, graphapi 0.2.0 to 0.3.0, oauth2 < 0.6.1)
No auth needed
Prerequisites: Network access to the target ownCloud instance
devstral-2 · analyzed May 22, 2026 Full analysis →
nomisec WORKING POC
by d0rb · remote
https://github.com/d0rb/CVE-2023-49103

The PoC exploits CVE-2023-49103, an unauthenticated information disclosure vulnerability in ownCloud's Graph API extension. It fetches sensitive environment variables from the `phpinfo` output and exfiltrates credentials to a reverse shell.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: ownCloud (with Graph API extension)
No auth needed
Prerequisites: ownCloud instance with vulnerable Graph API extension · Access to the target endpoint `/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php`
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by merlin-ke · poc
https://github.com/merlin-ke/OwnCloud-CVE-2023-49103

This repository contains a functional exploit for CVE-2023-49103, leveraging a path traversal vulnerability in OwnCloud to execute arbitrary PHP code. The Dockerfile sets up an Apache server hosting a malicious PHP payload designed to trigger the vulnerability.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OwnCloud (versions affected by CVE-2023-49103)
No auth needed
Prerequisites: Access to a vulnerable OwnCloud instance · Ability to send crafted HTTP requests to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC
by h00die, creacitysec, Ron Bowes, random-robbie, Christian Fischer · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/owncloud_phpinfo_reader.rb

This Metasploit module exploits an information disclosure vulnerability in ownCloud's graph API, where a test file exposes phpinfo() output to unauthenticated users. It extracts sensitive environment variables such as database credentials, SMTP details, and Redis configurations.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: ownCloud (Docker containers with graph app versions 0.2.0-0.2.1 or 0.3.0-0.3.1)
No auth needed
Prerequisites: Network access to the target ownCloud instance · Exposed graph API endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

OwnCloud - Phpinfo Configuration
HIGHVERIFIEDby ritikchaddha
Shodan: title:"owncloud" || http.title:"owncloud"
FOFA: title="owncloud"

References (3)

Core 3

Scores

CVSS v3 10.0
EPSS 0.9433
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
docker pull httpd:latest
+2 more repos

Details

CISA KEV 2023-11-30
VulnCheck KEV 2023-11-27
InTheWild.io 2023-11-30
ENISA EUVD EUVD-2023-53112
CWE
CWE-200
Status published
Products (2)
owncloud/graph_api 0.2.0
owncloud/graph_api 0.3.0
Published Nov 21, 2023
KEV Added Nov 30, 2023
Tracked Since Feb 18, 2026