current release Version 126.96.36.199 stable Build: '2019-08-14T18:57:27+00:00 a1a245e88202d834f08f4c2e4451dcbe9baee3aa'
On nextcloud php files can be uploaded, but when clicked they are only shown in a text editor. If the URL to our skript is known, we get code execution. A RCE will work if the server has set it's data directory inside the nextcloud server folder and the username is known.
The following is located in /var/www/nextcloud/config/config.sample.php:
* Default to
data/ in the Nextcloud directory.
'datadirectory' => '/var/www/nextcloud/data',
If this config is used, RCE is possible.
Short video attached. (To reproduce use a nextcloud instance and setup a user named attacker. Use any php script called shell.php, and set the datadirectory to /var/www/nextcloud/data)
This is possible since we know the direct path to our php script.
Note: This can also be used for XSS since we can upload any html file!
RCE, extract ser data or modify config file (if no special permissions are set), take over the server, also XSS is possible