Lucene search
Alacn1H1:2101165HistoryAug 08, 2023 - 2:40 p.m.
Nextcloud: user_ldap app logs user passwords in the log file on level debug
2023-08-0814:40:53
alacn1
hackerone.com
12
nextcloud
ldap
user authentication
log file
security vulnerability
bug bounty
code level debug
Summary:
Nextcloud using ldap user authentication and loglevel debug write user passwords to log file.
Vulnerable versions: 26.0.4, 27.0.1.
Steps To Reproduce:
- Use a nextcloud with ldap user authentication.
- Set nextcloud config loglevel to 0 (debug).
- Login to nextcloud using a ldap user.
- Search for lines with ‘ldap_bind’ in nextcloud log file.
Supporting Material/References:
Sample log file:
{"reqId":"QRqbkhMpRAY1ugvQMrPk","level":0,"time":"2023-08-08T11:17:11-03:00","remoteAddr":"<IPADDRESS>","user":"--","app":"user_ldap","method":"POST","url":"/login","message":"Calling LDAP function ldap_bind with parameters [{},\"uid=<USERNAME>\",\"<PASSWORD>\"]","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36","version":"27.0.1.2","data":{"app":"user_ldap"}}
Affected file:
apps/user_ldap/lib/LDAP.php
Vulnerable code:
private function preFunctionCall(string $functionName, array $args): void {
$this->curArgs = $args;
$this->logger->debug('Calling LDAP function {func} with parameters {args}', [
'app' => 'user_ldap',
'func' => $functionName,
'args' => json_encode($args),
]);
Impact
Local administrator can retriave user passwords.
Related
osv
osv
CVE-2023-48305
2023-11-21 23:15:07
cvelist
cvelist
nvd
nvd
CVE-2023-48305
2023-11-21 23:15:07
cve
cve
CVE-2023-48305
2023-11-21 23:15:07
prion
prion
Code injection
2023-11-21 23:15:00
nextcloud
nextcloud
user_ldap app logs user passwords in the log file on level debug
2023-11-21 05:24:06
openvas
openvas