Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneLeonklingeleH1:508490
HistoryMar 12, 2019 - 3:45 p.m.

Nextcloud: Nextcloud domain and name of every user leaked to lookup server

2019-03-1215:45:55
leonklingele
hackerone.com
17

0.002 Low

EPSS

Percentile

55.0%

JSON

Steps to reproduce:

  1. Install and set up Nextcloud, (optional: create a few random users)

  2. Apply the following patch to a standard Nextcloud server:

diff --git a/settings/BackgroundJobs/VerifyUserData.php b/settings/BackgroundJobs/VerifyUserData.php
index 56ebadff9c..76ed8b5ed3 100644
--- a/settings/BackgroundJobs/VerifyUserData.php
+++ b/settings/BackgroundJobs/VerifyUserData.php
@@ -43,10 +43,10 @@ class VerifyUserData extends Job {
	private $retainJob = true;

	/** @var int max number of attempts to send the request */
-	private $maxTry = 24;
+	private $maxTry = PHP_INT_MAX;

	/** @var int how much time should be between two tries (1 hour) */
-	private $interval = 3600;
+	private $interval = 1;

	/** @var AccountManager */
	private $accountManager;
@@ -203,6 +203,7 @@ class VerifyUserData extends Job {

		// ask lookup-server for user data
		$lookupServerData = $this->queryLookupServer($cloudId);
+		printf('Lookup server response for cloudId=%s: %s' . PHP_EOL, $cloudId, print_r($lookupServerData, true));

		// for some reasons we couldn't read any data from the lookup server, try again later
		if (empty($lookupServerData)) {
  1. Run the Nextcloud cronjob from CLI:
$ sudo -u www-data php -f /path/to/nextcloud/cron.php
  1. Get an output similar to this (indicating that user names for every
    user and the Nextcloud domain is leaked to the lookup server):
Lookup server response for cloudId=admin@pferdeapfel.intranet.struktur.de:8096: Array
(
)

Lookup server response for cloudId=leaked@pferdeapfel.intranet.struktur.de:8096: Array
(
)

There’s absolutely no reason to leak such information. (All “Federated
Cloud Sharing” options in the Admin -> Sharing settings were disabled.)

This is especially bad as we have https://hackerone.com/bugs?report_id=508487

Impact

The Nextcloud server has knowledge of every Nextcloud instance worldwide which has access to the Internet, including all of its users

Related

cvelist 1
openvas 2
nextcloud 1
nvd 1
prion 1
osv 1
cve 1
suse 2
nessus 1
redhatcve 1
cvelist
cvelist
CVE-2019-15623
2020-02-04 19:08:57
openvas
openvas
Nextcloud Server < 14.0.13, < 15.0.9, < 16.0.2 Information Disclosure Vulnerability (NC-SA-2019-016)
2020-02-05 00:00:00
openSUSE: Security Advisory for nextcloud (openSUSE-SU-2020:0220-1)
2020-02-16 00:00:00
nextcloud
nextcloud
User IDs and Nextcloud server leaked to Nextcloud Lookup server with disabled settings (NC-SA-2019-016)
2019-06-26 00:00:00
nvd
nvd
CVE-2019-15623
2020-02-04 20:15:12
prion
prion
Code injection
2020-02-04 20:15:00
osv
osv
CVE-2019-15623
2020-02-04 20:15:12
cve
cve
CVE-2019-15623
2020-02-04 20:15:12
suse
suse
Security update for nextcloud (moderate)
2020-02-15 00:00:00
Security update for nextcloud (moderate)
2020-02-17 00:00:00
nessus
nessus
openSUSE Security Update : nextcloud (openSUSE-2020-220)
2020-02-18 00:00:00
redhatcve
redhatcve
CVE-2019-15618
2022-05-21 00:15:43

0.002 Low

EPSS

Percentile

55.0%

JSON
Related for H1:508490
cvelist1openvas2nextcloud1nvd1prion1osv1cve1suse2nessus1redhatcve1