Nextcloud: Log pollution can lead to HTML Injection.
2016-06-21T17:45:54
ID H1:146278 Type hackerone Reporter apok Modified 2016-07-19T11:52:30
Description
Hi Team,
I was looking around in your app and on the log part (accessed by the admin), I noticed that the log file is downloaded as an HTML file. Naturally I started trying to inject code I noticed that when HTML code is inserted, a HTML comment start tag is inserted. But I was able to bypass this protection by inserting a comment end tag and then the HTML code, which resulted in HTML injection.
To reproduce this behaviour I started looking where a user is able to inject data onto the log file, and I noticed that when the "Host" header is different from the one configured for the app, a warning is injected onto the app. There likely many other sections that could serve to inject into the log, but I've just started to analyze the app so I couldn't find any yet.
Proof of Concept:
1) Generate the following request to the server:
GET /nextcloud/index.php HTTP/1.1
Host: -->test"<img src=a onerror=alert('xss')>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.7,es-AR;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
2) Download the log file.
3) Observe that the code is executed properly.
Why is this a vulnerability?
A malicious individual could use this to execute malicious code on an administrator that happened to open the downloaded Log file.
How to fix?: We can defeat this attack by adding an additional filter on the log file which escapes html special characters.
I'm sending a couple of screenshots. I'll keep digging and if I find anything else I'll send you another report.
Kind Regards,
Apok.
{"id": "H1:146278", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Nextcloud: Log pollution can lead to HTML Injection.", "description": "Hi Team,\nI was looking around in your app and on the log part (accessed by the admin), I noticed that the log file is downloaded as an HTML file. Naturally I started trying to inject code I noticed that when HTML code is inserted, a HTML comment start tag is inserted. But I was able to bypass this protection by inserting a comment end tag and then the HTML code, which resulted in HTML injection.\n\nTo reproduce this behaviour I started looking where a user is able to inject data onto the log file, and I noticed that when the \"Host\" header is different from the one configured for the app, a warning is injected onto the app. There likely many other sections that could serve to inject into the log, but I've just started to analyze the app so I couldn't find any yet.\n\nProof of Concept:\n1) Generate the following request to the server:\nGET /nextcloud/index.php HTTP/1.1\nHost: -->test\"<img src=a onerror=alert('xss')>\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.7,es-AR;q=0.3\nAccept-Encoding: gzip, deflate\nDNT: 1\nConnection: keep-alive\n2) Download the log file.\n3) Observe that the code is executed properly.\n\nWhy is this a vulnerability?\nA malicious individual could use this to execute malicious code on an administrator that happened to open the downloaded Log file. \n\nHow to fix?: We can defeat this attack by adding an additional filter on the log file which escapes html special characters.\n\nI'm sending a couple of screenshots. I'll keep digging and if I find anything else I'll send you another report.\n\nKind Regards,\nApok.", "published": "2016-06-21T17:45:54", "modified": "2016-07-19T11:52:30", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://hackerone.com/reports/146278", "reporter": "apok", "references": [], "cvelist": ["CVE-2016-9459"], "lastseen": "2018-08-31T00:39:16", "viewCount": 14, "enchantments": {"score": {"value": 5.9, "vector": "NONE", "modified": "2018-08-31T00:39:16", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-9459"]}, {"type": "nextcloud", "idList": ["NC-SA-2016-002"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310809415", "OPENVAS:1361412562310809414"]}], "modified": "2018-08-31T00:39:16", "rev": 2}, "vulnersScore": 5.9}, "bounty": 350.0, "bountyState": "resolved", "h1team": {"handle": "nextcloud", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/013/291/1d2ac8991616fcd3e3cdd567d02b7e70e20a3883_medium.png?1491410731", "small": "https://profile-photos.hackerone-user-content.com/000/013/291/5d33b6e08fad356e1743fd899fe7d6dda9971209_small.png?1491410731"}, "url": "https://hackerone.com/nextcloud"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/052/509/0aea788d0d0f0795362ae3f15364cf9ddfc29932_small.jpg?1459859637"}, "url": "/apok", "username": "apok"}}
{"cve": [{"lastseen": "2021-02-02T06:28:14", "description": "Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as an HTML document. Thus any injected data in the log would be executed.", "edition": 10, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2017-03-28T02:59:00", "title": "CVE-2016-9459", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9459"], "modified": "2019-10-09T23:20:00", "cpe": [], "id": "CVE-2016-9459", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9459", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "nextcloud": [{"lastseen": "2020-12-24T11:41:17", "bulletinFamily": "software", "cvelist": ["CVE-2016-9459"], "description": "The \"download log\" functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as HTML document. Thus any injected data in the log would be executed.While the document would only be executed locally (thus on another scope) we have decided to fix this to protect our users.", "modified": "2016-07-19T00:00:00", "published": "2016-07-19T00:00:00", "id": "NC-SA-2016-002", "href": "https://nextcloud.com/security/advisory/?id=NC-SA-2016-002", "type": "nextcloud", "title": "Log pollution can potentially lead to local HTML injection (NC-SA-2016-002)", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:34:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7419", "CVE-2016-9461", "CVE-2016-9462", "CVE-2016-9460", "CVE-2016-9459"], "description": "The host is installed with nextCloud and\n is prone to cross-site scripting (XSS) vulnerability.", "modified": "2018-10-24T00:00:00", "published": "2016-09-27T00:00:00", "id": "OPENVAS:1361412562310809415", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809415", "type": "openvas", "title": "nextCloud 'share.js' Gallery Application XSS Vulnerability (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_nextcloud_share_js_gallery_app_xss_vuln_lin.nasl 12051 2018-10-24 09:14:54Z asteins $\n#\n# nextCloud 'share.js' Gallery Application XSS Vulnerability (Linux)\n#\n# Authors:\n# Tushar Khelge <ktushar@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:nextcloud:nextcloud\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809415\");\n script_version(\"$Revision: 12051 $\");\n script_cve_id(\"CVE-2016-7419\", \"CVE-2016-9459\", \"CVE-2016-9460\", \"CVE-2016-9461\", \"CVE-2016-9462\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-24 11:14:54 +0200 (Wed, 24 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-09-27 13:01:29 +0530 (Tue, 27 Sep 2016)\");\n script_name(\"nextCloud 'share.js' Gallery Application XSS Vulnerability (Linux)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with nextCloud and\n is prone to cross-site scripting (XSS) vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to a recent migration\n of the gallery app to the new sharing endpoint and a parameter changed from an\n integer to a string value which is not sanitized properly.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n authenticated users to inject arbitrary web script or HTML.\");\n\n script_tag(name:\"affected\", value:\"nextCloud Server before 9.0.52 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to nextCloud Server 9.0.52 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_xref(name:\"URL\", value:\"https://nextcloud.com/security/advisory/?id=nc-sa-2016-001\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_nextcloud_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"nextcloud/installed\", \"Host/runs_unixoide\");\n script_require_ports(\"Services/www\", 80);\n script_xref(name:\"URL\", value:\"http://nextcloud.com\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!nextPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!nextVer = get_app_version(cpe:CPE, port:nextPort)){\n exit(0);\n}\n\nif(version_is_less(version:nextVer, test_version:\"9.0.52\"))\n{\n report = report_fixed_ver(installed_version:nextVer, fixed_version:\"9.0.52\");\n security_message(data:report, port:nextPort);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:34:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7419", "CVE-2016-9461", "CVE-2016-9462", "CVE-2016-9460", "CVE-2016-9459"], "description": "The host is installed with nextCloud and\n is prone to cross-site scripting (XSS) vulnerability.", "modified": "2018-10-24T00:00:00", "published": "2016-09-27T00:00:00", "id": "OPENVAS:1361412562310809414", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809414", "type": "openvas", "title": "nextCloud 'share.js' Gallery Application XSS Vulnerability (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_nextcloud_share_js_gallery_app_xss_vuln_win.nasl 12051 2018-10-24 09:14:54Z asteins $\n#\n# nextCloud 'share.js' Gallery Application XSS Vulnerability (Windows)\n#\n# Authors:\n# Tushar Khelge <ktushar@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:nextcloud:nextcloud\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809414\");\n script_version(\"$Revision: 12051 $\");\n script_cve_id(\"CVE-2016-7419\", \"CVE-2016-9459\", \"CVE-2016-9460\", \"CVE-2016-9461\", \"CVE-2016-9462\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-24 11:14:54 +0200 (Wed, 24 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-09-27 12:59:47 +0530 (Tue, 27 Sep 2016)\");\n script_name(\"nextCloud 'share.js' Gallery Application XSS Vulnerability (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with nextCloud and\n is prone to cross-site scripting (XSS) vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to a recent migration\n of the gallery app to the new sharing endpoint and a parameter changed from an\n integer to a string value which is not sanitized properly.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n authenticated users to inject arbitrary web script or HTML.\");\n\n script_tag(name:\"affected\", value:\"nextCloud Server before 9.0.52 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to nextCloud Server 9.0.52 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_xref(name:\"URL\", value:\"https://nextcloud.com/security/advisory/?id=nc-sa-2016-001\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_nextcloud_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"nextcloud/installed\", \"Host/runs_windows\");\n script_require_ports(\"Services/www\", 80);\n script_xref(name:\"URL\", value:\"http://nextcloud.com\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!nextPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!nextVer = get_app_version(cpe:CPE, port:nextPort)){\n exit(0);\n}\n\nif(version_is_less(version:nextVer, test_version:\"9.0.52\"))\n{\n report = report_fixed_ver(installed_version:nextVer, fixed_version:\"9.0.52\");\n security_message(data:report, port:nextPort);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}]}
