๐ Nextcloud: Allows any user to share their "Root" level folder by sharing "."
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
There seems to be a bug in the "File to Share" feature of Nextcloud Talk. This allows any authenticated user/admin to share their "root" level folder by manipulating the "path": parameter in the JSON body request to the remote API /nextcloud/ocs/v2.php/apps/files_sharing/api/v1/shares Steps to repo: 1. Create a new user account with no permissions/shared files 1. In the admin account enable Nextcloud Talk(speed) 1. Invite the new user to the chat 1. Click on the file symbol in the chat window 1. The file to share dialog window will popup 1. select any folder from the admin account. 1. Capture tat HTTP POST request in burp repeater 1. Change the "path:"/<folder_name>" to path:"." which indicated the "root level of the folder" You might get a 403 but if you look at the chat window on the user side you will see the admin "root" folder shared to the user. This also works if you create a group chat and do the same steps. Expected Request ``` POST /nextcloud/ocs/v2.php/apps/files_sharing/api/v1/shares HTTP/1.1 Host: [removed] User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 requesttoken: [removed] Content-Length: 82 Origin: [removed] Connection: close Cookie: [removed]; oc_sessionPassphrase=[removed]; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; nc_username=[removed];... ...