An unauthenticated remote attacker can bypass password protection on certain shared file types through the file sharing app’s publicpreview.php function.
http://[server]/nextcloud/index.php/apps/files_sharing/ajax/publicpreview.php?x=[width]&y=[height]&t=[share ID]
Nextcloud users have the option to protect files shared via a link with a password. Recipients must enter the correct password when trying to view the shared file. However, if the shared file is an image file, an unauthenticated remote attacker can obtain a preview of the file through the vulnerable URL by passing the file’s share ID as the value of the ‘t’ parameter. Nextcloud returns a preview of the file without prompting for the unlock password first. If the shared file is an image, an attacker can essentially retrieve the user’s image file in it’s entirety through the preview function.
1 share settings.png - demonstrates my test file’s share settings.
2 password protected.png - demonstrates visiting the password protected file’s link and getting prompted for a password.
3 preview 1.png - demonstrates getting a partial view of the file through the preview function. No password required.
4 preview 2.png - a larger preview (x and y parameters modified). Compared to picture 3 I have recovered more of the image, especially on the left and right edges.
Image files are the most susceptible to this attack. Text files and markdown files generate preview images which can also be recovered using this technique; however, their generated preview images contain only a small portion of the overall file. Realistically speaking an attacker can recover limited information from a text file’s preview image, usually just a few words total.
Other file types such as MS Office and PDF documents have their preview providers disabled by default. They may be vulnerable to this vulnerability but Nextcloud’s security model assumes enabling their preview providers is insecure anyway (https://nextcloud.com/security/threat-model/) so I did not check them.
An attacker does not have to be authenticated to Nextcloud but does need to know the share ID to exploit this vulnerability.
Consider adding a check in the preview handler to only render a preview if the shared file isn’t password protected or if the user has already entered the correct password.