Steps to reproduce:
Install and set up Nextcloud, (optional: create a few random users)
Apply the following patch to a standard Nextcloud server:
diff --git a/settings/BackgroundJobs/VerifyUserData.php b/settings/BackgroundJobs/VerifyUserData.php
index 56ebadff9c..76ed8b5ed3 100644
--- a/settings/BackgroundJobs/VerifyUserData.php
+++ b/settings/BackgroundJobs/VerifyUserData.php
@@ -43,10 +43,10 @@ class VerifyUserData extends Job {
private $retainJob = true;
/** @var int max number of attempts to send the request */
- private $maxTry = 24;
+ private $maxTry = PHP_INT_MAX;
/** @var int how much time should be between two tries (1 hour) */
- private $interval = 3600;
+ private $interval = 1;
/** @var AccountManager */
private $accountManager;
@@ -203,6 +203,7 @@ class VerifyUserData extends Job {
// ask lookup-server for user data
$lookupServerData = $this->queryLookupServer($cloudId);
+ printf('Lookup server response for cloudId=%s: %s' . PHP_EOL, $cloudId, print_r($lookupServerData, true));
// for some reasons we couldn't read any data from the lookup server, try again later
if (empty($lookupServerData)) {
$ sudo -u www-data php -f /path/to/nextcloud/cron.php
Lookup server response for cloudId=admin@pferdeapfel.intranet.struktur.de:8096: Array
(
)
Lookup server response for cloudId=leaked@pferdeapfel.intranet.struktur.de:8096: Array
(
)
There’s absolutely no reason to leak such information. (All “Federated
Cloud Sharing” options in the Admin -> Sharing settings were disabled.)
This is especially bad as we have https://hackerone.com/bugs?report_id=508487
The Nextcloud server has knowledge of every Nextcloud instance worldwide which has access to the Internet, including all of its users