Nextcloud: Ransomware protection is missing extentions take 2

As requested in https://hackerone.com/reports/1195568 Impact So not spam ;...

openSUSE Security Update : nextcloud-desktop (openSUSE-2021-577)

This update for nextcloud-desktop fixes the following issues : nextcloud-desktop was updated to 3.1.3 : - desktop2884 stable-3.1 Add support for Hirsute - desktop2920 stable-3.1 Validate sensitive URLs to onle allow https schemes. - desktop2926 stable-3.1 Validate the providers ssl certificate -...

Nextcloud: Talk discloses turn server to anybody

The attack is straight forward. 1. send a request to bash curl -H 'OCS-APIREQUEST: true' https://server/ocs/v2.php/apps/spreed/api/v2/signaling/settings And you get back a lot of information. signaling server stun server turn server inc credentials The stun server is harmless enough. I did not lo...

Nextcloud: Ransomware protection is missing extentions

So again I'm not sure if this is in scope. However you do advertise this on your enterprise pages. So I assume so. In any case. It seems your ransomewareprotection app is missing some common extentions. See for example...

Nextcloud: Virtual Data Room / Hide download on collabora is easy to bypass

So, let me start with saying I'm not sure if this is a security issue or if it is by design. The reason I'm reporting it here is since Nextcloud promotes this Virtual Data Room a lot...

Nextcloud: Scoped apptokens can be changed by that very apptoken

I noticed that there is the possibility to limit apptokens to not be able to access the filesystem. 1. Create a new apptoken in https://server/settings/user/security 2. Click the .. of your new apptoken and make it not allowed to access the filesystem 3. Log out 4. Navigate to...

Nextcloud: Clients do not verify server public key

So this is related to https://hackerone.com/reports/1189162 but also to your RFC Bear with me because there is going to be some hand waving here and there. Since not everything is implemented yet from your RFC. Right now what happens is:...

Nextcloud: public webdav endpoint not bruteforce protected

Again related to https://hackerone.com/reports/1173684 I am having some trouble finding the code. However if you do curl -u "RANDOM1:RANDOM2" -X PROPFIND https://server/public.php/webdav And then check your ocbruteforceattempts table. You'll see there is no entry registered. Impact Low just like ...

Nextcloud: Add to your nextcloud endpoint is not properly protected

This is related to https://hackerone.com/reports/1173684 The endpoint you hit does have bruteforce protection https://github.com/nextcloud/server/blob/master/apps/federatedfilesharing/lib/Controller/MountPublicLinkController.phpL126 But this is only triggered by finding a share that is password...

Injection Vulnerability

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation...

Nextcloud: End to end encryption folder locking is not properly protected

I do not see the endtoendencryption app listed here. But since you advertise it big on your website and in communication. And the clients that also support it are covered I assume this is part of the program as well. 1. userA has end to end encryption setup 2. userB wants to annoy userA 3. userB...

Nextcloud: Android app does not clear end to end encryption keys

userA on serverA sets up end to end encryption on their android device 2. userA has some end to end encrypted data 3. userA removes their account on serverA from their android device for whatever reason 4. attacker evil admin obtains the device of userA 5. attacker evil admin logs in on the...

Nextcloud: End to end encryption public key is not properly verified on Desktop and Android

Since last time when I reported something on multiple platforms you seems to prefer handling it in 1 spot. I now just do one. Let me know if You want me to fill separate for android as well. This issue does not seem to happen on iOS as there a test string is encrypted and decrypted, in short...

Nextcloud: Default Nextcloud allows http federated shares

userA on serverA runs on http only 2. userA sends a federated share to userB on serverB 3. userB is a normal user so he has no clue that there is no secure transport used and accepts the share 4. all the data written to and read from is now no longer protected by TLS Impact While maybe a bit far...

Nextcloud: Session fixation on public talk links

userA shares a talk room and protects it with a password 2. userB opens links but doesn't enter the password yet 3. Attacker steals the cookies from userB 4. userB logs in 5. attacker is now also able to read the conversation etc Impact In short the attacker is able to take over the session of...

Fedora: Security Advisory for nextcloud-client (FEDORA-2021-1ffffa0251)

The remote host is missing an update for the Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 33 Update: nextcloud-client-3.1.3-1.fc33

Nextcloud-client enables you to connect to your private Nextcloud Server. With it you can create folders in your home directory, and keep the contents of those folders synced with your Nextcloud server. Simply copy a file into the directory and the Nextcloud Client does the rest...

Nextcloud: index.php/apps/files_sharing/shareinfo endpoint is not properly protected

When federated shares between two Nextclouds are created they do not use standard webdav to communciate. But to obtain the filelist they seem to use the SERVER/index.php/apps/filessharing/shareinfo endpoint. Unlike the other endpoint for tokens like public link shares. There is no brute force...

Nextcloud: Trusted server shared secret stored unencrypted in the database

The attack vector here is that somebody gets their hands on your database. When two servers have added each other as trusted server they exchange shared secret token. With this token they can sync down each other user lists. However it seems that this token is stored in plain text in the...

Nextcloud: Default settings leak federated cloud id to lookup server of all users

So with the default settings Nextcloud still sends requests to the lookup server if users update their profile. Even if none of the fields are set to 'published'. I must admit this is somewhat of a surprise as there is no reason for this. As long as the visibility of none of the fields change and...