Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneEg42H1:1595006
HistoryJun 08, 2022 - 2:50 p.m.

Nextcloud: Unauthenticated SSRF in 3rd party module "cerdic/csstidy"

2022-06-0814:50:19
eg42
hackerone.com
$250
8

0.002 Low

EPSS

Percentile

58.4%

JSON

Summary:

The mail extension in nextcloud includes a module called “cerdic/csstidy” which basically ships with a publicly accessible test/example interface to play with the CSS formatter and optimiser (/apps/mail/vendor/cerdic/css-tidy/css_optimiser.php). This module allows contacting any remote server via http, which makes it vulnerable to SSRF. We’ve tried reaching out to the csstidy developers directly but couldn’t reach them yet, so we’re reaching out to you so they can fix this before csstidy pushes out a fix.

It’s also possible to download remote data as a CSS file into a temporary directory in /apps/mail/vendor/cerdic/css-tidy/temp/. At the moment, this doesn’t look to be exploitable on its own, and probably requires another vulnerability to exploit, e.g. a Local File Inclusion vulnerability could be turned into a Remote File Inclusion by first creating a CSS file containing PHP code (downloaded from a remote server via the csstidy vulnerability), and then including the local file via the LFI bug.

Steps To Reproduce:

  1. Install the mail extension
  2. Visit: http://example.com/apps/mail/vendor/cerdic/css-tidy/css_optimiser.php (no authentication is required)
  3. Either use the interface to set “CSS from URL” on the bottom or set the “url” parameter manually, for example: http://example.com/apps/mail/vendor/cerdic/css-tidy/css_optimiser.php?url=http://localhost/test
  4. To download remote data as CSS file, either use the interface or try this: http://example.com/apps/mail/vendor/cerdic/css-tidy/css_optimiser.php?url=http://localhost/apps/richdocuments/docs/custom.css&custom=1&template=4

Supporting Material/References:

Impact

Usually, SSRFs are not considered a high-impact vulnerability, and I would likely agree on most PHP projects, but (a) this vulnerability can be exploited by an unauthenticated attacker and (b) nextcloud is also designed to be used at a home network which opens the possibility of not only attacking other local services, but also the router of the home network. The ability to receive and write CSS files can also be used by the attacker to find out what other services are running on devices in the network or what kind of router is used etc., before running additional attacks.

Related

nextcloud 1
osv 1
cvelist 1
nvd 1
cve 1
prion 1
nextcloud
nextcloud
Unauthenticated SSRF in 3rd party module "cerdic/csstidy"
2022-08-04 06:29:01
osv
osv
CVE-2022-31132
2022-08-04 17:15:08
cvelist
cvelist
CVE-2022-31132 Unauthenticated SSRF in 3rd party module "cerdic/csstidy"
2022-08-04 17:10:10
nvd
nvd
CVE-2022-31132
2022-08-04 17:15:08
cve
cve
CVE-2022-31132
2022-08-04 17:15:08
prion
prion
Server side request forgery (ssrf)
2022-08-04 17:15:00

0.002 Low

EPSS

Percentile

58.4%

JSON
Related for H1:1595006
nextcloud1osv1cvelist1nvd1cve1prion1