Installed Nextcloud from Snap package (version 13.0.2snap1, revision 6916) on fresh Ubuntu 18.04 LTS install.
Installed and enabled Files access control (v1.3.0) and Files automated tagging (v1.3.0) apps.
As an administrator created an invisible collaborative tag Secret
.
Added Files automated tagging rule to add the Secret
tag for all files with user membership of admin
group.
Added Files access control rule restricting the access for all files with the Secret
tag and user who is not a member of admin
group.
Created unprivileged user user
.
Accessed the admin
account from WebDAV interface (in order to avoid generating automatic file previews) and created the following files/folders on the server:
folder: Secret_Folder
folder: Secret_Folder/Secret_Subfolder
file: Secret_Folder/Secret_Subfolder/Secret_Picture.jpeg
file: Secret_Folder/Secret_Subfolder/Secret_Text.txt
Shared the Secret_Folder
from admin
user to the unprivileged user user
with no edit rights.
From client computer authorized as the unprivileged user user
and used WebDAV search to recursively list all files with their MIME types with the following curl
command: {F302611}. This command downloaded the list of all shared files as an xml file: {F302614}.
Identified an image file Secret_Folder/Secret_Subfolder/Secret_Picture.jpeg
from the file list and accessed its contents through files preview API with the following curl
command:
curl -u user 'https://test.frp.lv/index.php/apps/files/api/v1/thumbnail/1212/750/Secret_Folder/Secret_Subfolder/Secret_Picture.jpeg' -H 'Content-Type: application/x-www-form-urlencoded' > Secret_Picture.jpeg
The unauthorized attacker can list all files recursively for an unlimited depth, even if explicitly denied by Files access control
rules.
The unauthorized attacker can view the contents of all denied image files up to their maximum resolution. It is up to the attacker to choose the required image resolution (1024 x 768 in the example) and construct corresponding GET
query through image preview API. Note that it is not even required for the file owner to use web interface and preview the protected image files before the attack. The corresponding image preview files are generated on the server upon the request of the attacker.
If the file owner has logged in Nextcloud web interface and browsed the protected files, thus automatically rendering thumbnail previews, it also becomes possible for the attacker to access previews of protected text files with the following curl
command referencing the text file from the example, choosing 4096x4096 resolution:
curl -u user 'https://test.frp.lv/index.php/apps/files/api/v1/thumbnail/4096/4096/Secret_Folder/Secret_Subfolder/Secret_Text.txt' -H 'Content-Type: application/x-www-form-urlencoded' > Secret_Text.png
The obtained preview image can contain critical information that should have been protected - see example of downloaded preview below:
{F302628}