When downloading mail attachments, the app fails to properly escape quotes in the content disposition header. Because of this, an attacker can send a victim a file with a benign extension such as .txt
or .png
which when downloaded will be stored with a malicious extension such as .bat
or .docm
.
This vulnerability can for example be exploited in the following scenarios:
test.bat".png
..png
file, it will be downloaded as test.bat
instead.Tested with Firefox under Windows.
As alternative to .bat
files (which may be prevented from executing by Microsoft Defender SmartScreen), an attacker can also send other malicious files such as for example .vbs
files, as well as .docm
files containing macro viruses.
GET /nextcloud/index.php/apps/mail/api/messages/26/attachment/2 HTTP/1.1
Host: 192.168.0.101
HTTP/1.1 200 OK
[...]
Content-Disposition: attachment; filename="test.bat".png"
[...]
Content-Type: application/octet-stream
C:\Windows\system32\calc.exe
Quotes should be properly escaped before being inserted into the Content-Disposition header.
Offering malicious files for download, leading to code execution on the computer of the victim if they download and open the file.