Summary:
Registered users can generate massive database load
Steps To Reproduce:
- create 9 circles and 6 folders (circles * folder > 50)
- share all created folders with all created circles
- open an other folder and open the share tab, so the URI /ocs/v2.php/apps/files_sharing/api/v1/sharees_recommended is requested
- this requests results in a loop that runs as long as the php value max_execution_time is set; the recommended value for this is 3600 seconds (1h)
- a small number of these requests will stress even large servers
Tested with Nextcloud 23.0.8
Impact
Attacker slow down the system by generating a lot of database/cpu load.