NextCloud / OwnCloud Cross Site Scripting
Posted on 17 May 2017
================================================================== Nextcloud/Owncloud - Reflected Cross Site Scripting in error pages ================================================================== Information ------------------------------------------------------------------ Name: Nextcloud/Owncloud - Reflected Cross Site Scripting in error pages Affected Versions: Nextcloud Server < 11.0.3 Nextcloud Server < 10.0.5 Nextcloud Server < 9.0.58 Owncloud <= 9.1.5 Vendor Homepage : https://nextcloud.com/ https://owncloud.org/ Vulnerability Type: Reflected Cross Site Scripting Severity: Low CVE: CVE-2017-0891 Product ------------------- Nextcloud is a open source software for cloud storage service. Also, this software are more features for synchronizing. e.g. Calendar, contacts, tasks or RSS readers. It is a fork from Owncloud. Currently, Owncloud is working on backporting this vulnerability to be fixed in the next release, I hope. Description ------------------- A HTML injection vulnerability flaw in the Nextcloud and Owncloud. Through this vulnerability an attacker could manipulate the website. This vulnerability could affect to the logged users. An attacker could send a malicious link (that contains the manipulated URL) to a legitimate user that he is logged in and simulate the login screen to stole the password (phishing), or multiple attacks more, like XSS. Nextcloud and ownCloud use Content-Security-Policy which prevents execution of inline JavaScript. However, as of now prominently Internet Explorer hasn't implemented Content-Security-Policy thus being at risk against this reflected Cross-Site Scripting Exist more options to attack, for example, redirect the content of an <object> or <script> to a saved and shared items of your directory. Also, the mimetypes are well configured and the most browsers will not execute a javascript file that doesn't have the javascript content-type. Source code: https://github.com/nextcloud/server/pull/4228 https://github.com/owncloud/core/pull/27723 Proof of Concept ------------------- PoC: https://site/index.php/apps/files/ajax/download.php?files=%00&dir=HTMLCODE Solution ------------------- Update to the latest versions. More info: https://nextcloud.com/security/advisory/?id=nc-sa-2017-008 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0891 https://hackerone.com/reports/216812 Advisory Timeline -------------------- 22/03/2017 - Informed to Owncloud about the issue via Hackerone. 28/03/2017 - Informed to Nextcloud about the issue via Hackerone. 28/03/2017 - Nextcloud answered me and confirmed the vulnerability. 20/04/2017 - Send an email to Owncloud security... 21/04/2017 - Owncloud confirmed the vulnerability via HackerOne and they are working on the fix. 21/04/2017 - Nextcloud awarded me with 450$! 24/04/2017 - Nextcloud released new versions with the vulnerabilty fixed. 08/05/2017 - Nextcloud released the security advisories. 15/05/2017 - Public disclosure. Both are very good software. The vulnerability is not very risky. I guess Owncloud will release a new version this month. :) Credits & Authors -------------------- Manuel Mancera (@sinkmanu) Thanks to Lukas Reschke from Nextcloud for the fast replies and commitment with the security. A good transparency and collaboration makes the software better. Disclaimer ------------------- All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage.
