Nextcloud: Log pollution can lead to HTML Injection.

Hi Team,
I was looking around in your app and on the log part (accessed by the admin), I noticed that the log file is downloaded as an HTML file. Naturally I started trying to inject code I noticed that when HTML code is inserted, a HTML comment start tag is inserted. But I was able to bypass this protection by inserting a comment end tag and then the HTML code, which resulted in HTML injection.

To reproduce this behaviour I started looking where a user is able to inject data onto the log file, and I noticed that when the “Host” header is different from the one configured for the app, a warning is injected onto the app. There likely many other sections that could serve to inject into the log, but I’ve just started to analyze the app so I couldn’t find any yet.

Proof of Concept:

1. Generate the following request to the server:
   GET /nextcloud/index.php HTTP/1.1
   Host: –>test"<img src>
   User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
   Accept-Language: en-US,en;q=0.7,es-AR;q=0.3
   Accept-Encoding: gzip, deflate
   DNT: 1
   Connection: keep-alive
2. Download the log file.
3. Observe that the code is executed properly.

Why is this a vulnerability?
A malicious individual could use this to execute malicious code on an administrator that happened to open the downloaded Log file.

How to fix?: We can defeat this attack by adding an additional filter on the log file which escapes html special characters.

I’m sending a couple of screenshots. I’ll keep digging and if I find anything else I’ll send you another report.

Kind Regards,
Apok.