Nextcloud using ldap user authentication and loglevel debug write user passwords to log file.
Vulnerable versions: 26.0.4, 27.0.1.
Sample log file:
{"reqId":"QRqbkhMpRAY1ugvQMrPk","level":0,"time":"2023-08-08T11:17:11-03:00","remoteAddr":"<IPADDRESS>","user":"--","app":"user_ldap","method":"POST","url":"/login","message":"Calling LDAP function ldap_bind with parameters [{},\"uid=<USERNAME>\",\"<PASSWORD>\"]","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36","version":"27.0.1.2","data":{"app":"user_ldap"}}
Affected file:
apps/user_ldap/lib/LDAP.php
Vulnerable code:
private function preFunctionCall(string $functionName, array $args): void {
$this->curArgs = $args;
$this->logger->debug('Calling LDAP function {func} with parameters {args}', [
'app' => 'user_ldap',
'func' => $functionName,
'args' => json_encode($args),
]);
Local administrator can retriave user passwords.