Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneDavid_h1H1:1402249
HistoryNov 17, 2021 - 2:30 a.m.

Nextcloud: Control character filtering misses leading and trailing whitespace in file and folder names

2021-11-1702:30:13
david_h1
hackerone.com
21

0.002 Low

EPSS

Percentile

51.7%

JSON

Summary:

It is possible to create files and folders that have leading and trailing \n, \r, \t, and \v characters. The server rejects files and folders that have these characters in the middle of their names, so this might be an opportunity for injection.

In lib/private/Files/Storage/Common.php, the filename is trimmed before being checked for control characters:

        556         protected function verifyPosixPath($fileName) {
        557                 $fileName = trim($fileName);
        558                 $this->scanForInvalidCharacters($fileName, "\\/");
        ...
        570         private function scanForInvalidCharacters($fileName, $invalidChars) {
        571                 foreach (str_split($invalidChars) as $char) {
        572                         if (strpos($fileName, $char) !== false) {
        573                                 throw new InvalidCharacterInPathException();
        574                         }
        575                 }
        576
        577                 $sanitizedFileName = filter_var($fileName, FILTER_UNSAFE_RAW, FILTER_FLAG_STRIP_LOW);
        578                 if ($sanitizedFileName !== $fileName) {
        579                         throw new InvalidCharacterInPathException();
        580                 }
        581         }

Steps To Reproduce:

  1. Create a file with an HTTP request of PUT /remote.php/webdav/%09%0a%0b%0dfile%09%0a%0b%0d
  2. Browse to http://NEXTCLOUD_HOST/index.php/apps/files/ and notice that the file has been created.
  3. Run ls in the data directory to see that the filename contains control characters.

or,

  1. Create a folder with an HTTP request of MKCOL /remote.php/dav/files/user/%09%0a%0b%0ddir%09%0a%0b%0d
  2. Browse to http://NEXTCLOUD_HOST/index.php/apps/files/ and notice that the folder has been created.
  3. Run ls in the data directory to see that the folder’s name contains control characters.

Supporting Material/References:

  • The result of ls in the data directory: F1516406.

Impact

This may just be a hardening issue, but if the file or directory names are inserted into an HTTP response unfiltered, CRLF injection may occur.

Related

prion 1
cve 1
osv 1
nvd 1
openvas 1
cvelist 1
nextcloud 1
nessus 1
gentoo 1
prion
prion
Design/Logic Flaw
2022-04-27 15:15:00
cve
cve
CVE-2022-24888
2022-04-27 15:15:09
osv
osv
CVE-2022-24888
2022-04-27 15:15:09
nvd
nvd
CVE-2022-24888
2022-04-27 15:15:09
openvas
openvas
Nextcloud Server < 20.0.14.4, 21.x < 21.0.8, 22.x < 22.2.4, 23.x < 23.0.1 Control Character Filtering Vulnerability (GHSA-w3h6-p64h-q9jp)
2022-05-23 00:00:00
cvelist
cvelist
CVE-2022-24888 Possible Injection in Nextcloud Server
2022-04-27 14:25:11
nextcloud
nextcloud
Control character filtering misses leading and trailing whitespace in file and folder names
2022-04-27 07:23:51
nessus
nessus
GLSA-202208-17 : Nextcloud: Multiple Vulnerabilities
2022-08-16 00:00:00
gentoo
gentoo
Nextcloud: Multiple Vulnerabilities
2022-08-10 00:00:00

0.002 Low

EPSS

Percentile

51.7%

JSON
Related for H1:1402249
prion1cve1osv1nvd1openvas1cvelist1nextcloud1nessus1gentoo1