ownCloud vulnerability with maximum 10 severity score comes under “mass” exploitation | Ars Technica
“The vulnerability, which carries the maximum severity rating of 10, makes it possible to obtain passwords and cryptographic keys allowing administrative control of a vulnerable server by sending a simple Web request to a static URL”
I’m surprised that ownCloud didn’t use a single PHP entrypoint. In PHP software you must restrict access to .php files, that’s front controller basis. They really did bad and I’m very disappointed.