Nextcloud: Content Injection 404 page

2016-06-19T12:17:22
ID H1:145849
Type hackerone
Reporter testest
Modified 2016-06-19T12:22:53

Description

Hi there,

Similar as report #145344 and #145532 it's possbile to spoof the 404 page using http.

PoC URL: http://nextcloud.com/has%2f%20been%20changed%20to%20https://www.ATTACKER.COM.%20so%20please%20visit%20https://www.ATTACKER.COM%20as%20your%20requested%20link

Note: If this redirects you to https, clear the cache or use another browser.

If you need more information, let me know.

Thanks!