Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneLmxH1:154827
HistoryJul 29, 2016 - 5:41 a.m.

Nextcloud: More content spoofing through dir param in the files app

2016-07-2905:41:44
lmx
hackerone.com
$50
32

EPSS

0.005

Percentile

75.9%

JSON

Hi! It’s still possible to use an invalid dir param to spoof messages in the directory breadcrumbs area.

For example, you can use URL-encoded periods to bypass the directory traversal prevention. By referencing a path that returns a 301, you can add a message in the dir param F108266:

https://demo.nextcloud.com/index.php/apps/files/?dir=../../../.well-known/caldav/Error - please restart your computer to continue

Also, in Chrome, the presence of a null byte (%00) in the url causes a CSP error for an ajax request upon pageload, which prevents the redirect to dir=/ and allows you to put a message in the dir param F108267:

https://demo.nextcloud.com/index.php/apps/files/?dir=Error! Please restart your computer and try again

Please let me know if you need more info. Thanks!

Related

prion 1
cvelist 1
nvd 1
nextcloud 1
ubuntucve 1
cve 1
openvas 2
prion
prion
Directory traversal
2017-03-28 02:59:00
cvelist
cvelist
CVE-2016-9467
2017-03-28 02:46:00
nvd
nvd
CVE-2016-9467
2017-03-28 02:59:01
nextcloud
nextcloud
Content-Spoofing in "files" app (NC-SA-2016-010)
2016-10-10 00:00:00
ubuntucve
ubuntucve
CVE-2016-9467
2017-03-28 00:00:00
cve
cve
CVE-2016-9467
2017-03-28 02:59:01
openvas
openvas
Nextcloud Multiple Vulnerabilities - Linux
2017-03-30 00:00:00
Nextcloud Multiple Vulnerabilities - Windows
2017-03-30 00:00:00

EPSS

0.005

Percentile

75.9%

JSON
Related for H1:154827
prion1cvelist1nvd1nextcloud1ubuntucve1cve1openvas2