Lucene search

K

Daniel_calvino_sanchezH1:885041

HistoryMay 28, 2020 - 7:30 p.m.

Nextcloud: The password of a mail share is not hashed if the password is given when the share is created

2020-05-2819:30:47

daniel_calvino_sanchez

hackerone.com

27

EPSS

0.002

Percentile

60.3%

Create a new mail share with a password by using the OCS endpoint with something like:
curl -u admin:admin -X POST -H “OCS-APIRequest: true” “http://localhost/ocs/v1.php/apps/files_sharing/api/v1/shares?path=welcome.txt&shareType=4&[email protected]&password=plainTextPassword”
Check the last item in the “oc_share” table in the database; the stored password is “plainTextPassword” instead of a hashed version.

Note that the password is properly hashed if the password is autogenerated (https://github.com/nextcloud/server/blob/caff1023ea72bb2ea94130e18a2a6e2ccf819e5f/apps/sharebymail/lib/ShareByMailProvider.php#L236) or if the share is later updated with another password (https://github.com/nextcloud/server/blob/16da29caba1cefa4c0762fae6014d6d2c737ee94/lib/private/Share20/Manager.php#L1085).

Impact

An attacker would be able to get the plain text password of a mail share.

EPSS

0.002

Percentile

60.3%

Related for H1:885041

cvelist1 nextcloud1 prion1 openvas4 nvd1 nessus4 freebsd1 cve1 osv1 suse1