Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

potential RCE and XSS via file upload requiring user account and default settings

High
N
Nextcloud
Submitted None
Actions:
View on HackerOne
Reported by rcejules

Vulnerability Details

Technical details and impact analysis

Code Injection
#potential RCE and XSS via file upload requiring user account and default settings ##Requirements 1. User account that can upload files (NO admin) 2. User account name on creation (usually the same as on creation/displayed name) 3. data directory inside of nextcloud server folder (suggested by /var/www/nextcloud/config/config.sample.php) ##Tested on current release Version 16.0.4.1 stable Build: '2019-08-14T18:57:27+00:00 a1a245e88202d834f08f4c2e4451dcbe9baee3aa' ##Basic idea On nextcloud php files can be uploaded, but when clicked they are only shown in a text editor. If the URL to our skript is known, we get code execution. A RCE will work if the server has set it's data directory inside the nextcloud server folder and the username is known. ##config example The following is located in /var/www/nextcloud/config/config.sample.php: [https://github.com/nextcloud/server/blob/master/config/config.sample.php] ~~~~ * * Default to ``data/`` in the Nextcloud directory. */ 'datadirectory' => '/var/www/nextcloud/data', ~~~~ If this config is used, RCE is possible. ##Attack scenario: Short video attached. (To reproduce use a nextcloud instance and setup a user named attacker. Use any php script called shell.php, and set the datadirectory to /var/www/nextcloud/data) 1. Login to obtained user account (assume his name is "attacker") 2. upload malicious php script. (assume it is called "shell.php") 3. navigate to https://www.ournextclouddomain.com/data/attacker/files/shell.php 4. see some shells poppin This is possible since we know the direct path to our php script. Note: This can also be used for XSS since we can upload any html file! ##Prevention 1. user accounts could extend a seed on their foldername like attacker-19320143158015 2. usage of a custom seed inside the data directory. 3. different config than on the example ## Impact RCE, extract ser data or modify config file (if no special permissions are set), take over the server, also XSS is possible

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Code Injection