Nextcloud: Content Spoofing/Text Injection - docs.nextcloud.org

Issue: ====== Hey, I've found content spoofing also known as "Text Injection" in your sub-domain docs.nextcloud.org URL: ------- Here is the malicious URL: https://docs.nextcloud.org/.htacessCONTENT%20SPOOFING%20BY%20AHSAN Fix: Use custom 403 error page which doesn't contain user's text! I hope...

Nextcloud: Content Injection 404 page

Hi there, Similar as report 145344 and 145532 it's possbile to spoof the 404 page using http. PoC URL: http://nextcloud.com/has%2f%20been%20changed%20to%20https://www.ATTACKER.COM.%20so%20please%20visit%20https://www.ATTACKER.COM%20as%20your%20requested%20link Note: If this redirects you to https...

Nextcloud: Business/Functional logic bypass: Remove admins from admin group.

In nextcloud the default admin can not be removed from his admin group. The group toggle request looks like this: POST /nextcloud/index.php/settings/ajax/togglegroups.php HTTP/1.1 Host: 139.59.9.184 User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.11; rv:47.0 Gecko/20100101 Firefox/47.0 Accep...

Nextcloud: help.nextcloud Email Address/Username enumeration

Hello nextcloud, i have another findings, i found that email address enumeration and or username enumeration is possible in signup/registration and forgot password under https://help.nextcloud.com/ , email/username enumeration can be use in any malicious intent by a malicious minded user. - For...

Nextcloud: newsletter.nextcloud.com: Bypass firewall protection

Hi Security team, I would like to report a vulnerability bypass firewall. when you are trying to navigate this link it needs authentication but it’s possible to access to admin panel when you add index.php after /admin/. https://newsletter.nextcloud.com/admin/index.php P.o.C : video in attachment...

Nextcloud: Bruteforcing help.nextcloud.com

Hi I've found that the user is allowed to perform brute force in help.nextcloud.com login, i've tried to input wrong password 25 times , then input my correct password in my 26th attempt and it is successfully login, a malicious minded user can always continue guessing an account password. Steps ...

Nextcloud: Bruteforce attack is possible on newsletter.nextcloud.com

Since HTTP Basic authentication is used on https://newsletter.nextcloud.com, This type of authentication is vulnerable to Bruteforce attack. refer the attachment below F100241 refer the attachment below F100240 Attacking via metasploit auxilary scanner httplogin: refer the attachment below F10023...

Nextcloud: No captcha on newsletter.nextcloudcom leaves vulnerable to email spammers

The lack of a captcah or verificationcodeX it's empty in your phplist configuration allows attackers to use this mail for to send as much spam as they like to victims. I did not reach an email sending limit when I had tested this. PoC images below: Burp suite automated requests:...

Nextcloud: Avatar image upload and bypass real image verification

Hi We can bypass Avatar Upload image verification and extension uploading a php file or any other extension binding a valide jpeg image , there is no risk for the moment because the avatar is renamed to avatarupload on the remote server , but it ll be nice to secure this part of code . Example...

Nextcloud: https://newsletter.nextcloud.com Directory listening and Information Disclosure

Hi, This is the domain that we are going to work about it as you know: https://newsletter.nextcloud.com/ Firstly I want to tell https://newsletter.nextcloud.com/admin when you are trying to navigate this link it needs authentication.But when you are doing this with via IP...

Nextcloud: Lost Password CSRF

Hi, I think it is something about your Wordpress version.It's not something highy risky bu it is vulnerability. CODE: Username or Email For testing CSRF I added the .html file to attachments.And there is a screenshot for you. How To Fix : Adding rpkey will be fine. Please take a look at links bel...

Nextcloud: Directory Listing On download.nextcloud.com & Practical Attacks on PGP (Pretty Good Privacy)

Sir, I have found a major bug in your website : That Is Directory listing & Practical Attacks On PGP signature affected area https://download.nextcloud.com/server/ here is my poc F100081 Poc Details: The web server is configured to display the list of files contained in this directory. As a resul...

Nextcloud: Server side request forgery (SSRF) on nextcloud implementation.

An admin of nextcloud server can add other trusted nextcloud server in his own installation. The following request passes when a new add request is processed: http POST /nextcloud/index.php/apps/federation/trusted-servers HTTP/1.1 Host: myown.nextcloudserver.com User-Agent: Mozilla/5.0 Macintosh;...

Nextcloud: Vulnerable Javascript library

Information disclosure: So from simple lookup you can confirm the version of the jquery used. And is a outdated one, that accordingly to some research i did, was public vulnerabilities, such as XSS. Steps to reproduce: 1- navigate to:...

Nextcloud: nextcloud.com: Directory listening for 'wp-includes' forders

Hello guys, Details: The web server is configured to display the list of files contained in this directory. As a result of a misconfiguration - end user / attacker able to see content of the folders with systemically important files Vulnerable place: /wp-includes directory when I tried to navigat...

Nextcloud: failure to invalidate session on password change

Steps to reproduce 1. Login as user1 in firefox browser 2. Go to http://localhost/nextcloud/index.php/settings/personal 3. Go to other browser chrome and login as user1 4. Change the password in chrome Observe that the session in firefox still works...

Nextcloud: Nextcloud server software: Content Spoofing

In Nextcloud the "dir" parameter is vulnerable to content spoofing attack. If anyone puts a valid directory name in dir parameter then it goes that directory other wise it redirects to the home directory / By putting ../../ in dir parameter I was able to stop the redirect then I had put some...

Nextcloud: No rate limiting on password protected shared file link

User can share any files with link and can also set password for it but issue is there isn't any rate limting implemented there at this feature. So attacker can bruteforce shared link whereas on the other side victim might be thinking he is safe even he shared private file link in publically...

Nextcloud: nextcloud.com: Mail Bombing ( No Rate Limiting On Sending Emails On Contact us Page)

Hello, We can bomb spam any email by using your website. Please Check attack success poc image in attached file you will understand : POC : 1.go to. Link :- 2. in details fill , all things in email option enter victim email. 4.replay the same request many time , the victim's email will be spammed...

Nextcloud: Share owner has no possibility to list all existing derived shares

Hi, I found a bug where a shared link of particular file can disclose all files of that folder. Steps to reproduce + Make a group http:///nextcloud/index.php/settings/users and a standard user in it. + Now goto any folder and change it to gallery view F99993 + Invite that group which u made in st...