Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Critical Security issue - how to report? #221

Closed
GAS85 opened this issue Sep 29, 2021 · 3 comments · Fixed by #225
Closed

[Security] Critical Security issue - how to report? #221

GAS85 opened this issue Sep 29, 2021 · 3 comments · Fixed by #225
Assignees
@weeman1337
Labels
bug

Comments

@GAS85
Copy link
Contributor

GAS85 commented Sep 29, 2021
edited
Loading

I have a security vulnerability to report. How would you like me to report it?
Please provide the appropriate contact information or instructions for where to report it.

SHA of Issue text file.
SHA256:1bd7d43dda7ad5031455a52438dfb9b6e1ac3f94167adb83725d5b9d1a570deb
@GAS85 GAS85 changed the title [Security] Ceitical Security issue - how to report? [Security] Critical Security issue - how to report? Sep 29, 2021
@weeman1337
Copy link
Contributor

Hi @GAS85 . You can send it via mail to me [email protected] .

@weeman1337 weeman1337 self-assigned this Oct 9, 2021
@weeman1337 weeman1337 added the bug label Oct 9, 2021
@weeman1337 weeman1337 mentioned this issue Oct 10, 2021
Merged
@GAS85
Copy link
Contributor Author

GAS85 commented Nov 17, 2021

Any Update here? MR is still open and not a "secret" anymore.

@GAS85
Copy link
Contributor Author

GAS85 commented Dec 14, 2021

[Security] User is able to download files outside of his Download folder, modify files by other users and replace System Files

Escaping from the Downloads folder

Steps to reproduce

  1. Open UI, by using CURL, put in URL any file you needed, e.g. for POC http://speedtest.wdc01.softlayer.com/downloads/test100.zip
  2. In Section "HTTP output name" put e.g. ../../../test100.zip and hit download
  3. Via SSH check that file was uploaded to the "root" of data directory
ls -la /var/nextcloud/data/test*
-rw-r--r-- 1 www-data www-data 104874307 Sep 29 16:20 /var/nextcloud/data/test100.zip
  1. Potentially you can modify .htaccess file by this action, as User is not limited to the file name.

Replacing Files of other users or Add new files

Steps to reproduce

  1. USER A - open UI, by using CURL, put in URL any file you needed, e.g. http://speedtest.wdc01.softlayer.com/downloads/test100.zip
  2. In Section "HTTP output name" put e.g. ../../../UserB/files/test100.zip
  3. Check that file exist and has some content:
ls -la /var/nextcloud/data/UserB/files/test* && md5sum /var/nextcloud/data/UserB/files/test*
-rw-r--r-- 1 www-data www-data 13 Sep 29 16:26 /var/nextcloud/data/UserB/files/test100.zip
e91b1d1a6b802538298fcfbd2a80ce59  /var/nextcloud/data/UserB/files/test100.zip
  1. Hit Download
  2. Via SSH check that file was uploaded to the User B folder and Replaced content
ls -la /var/nextcloud/data/UserB/files/test* && md5sum /var/nextcloud/data/UserB/files/test*
-rw-r--r-- 1 www-data www-data 104874307 Sep 29 16:39 /var/nextcloud/data/UserB/files/test100.zip
d14dd5adbf56a6a1a29ec0450addbca4  /var/nextcloud/data/UserB/files/test100.zip

User A was able to completely replace content of file of User B. Potentially you can modify .htaccess file by this action.

Expected behaviour

It must be ensure that all Sections parsed to command are checked against folder change and passing additional parameters.

Actual behaviour

Any User can modify all Files on a Host System that are accessible to the web server user, e.g. www-data

@Jwiggiff Jwiggiff mentioned this issue Jan 2, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@weeman1337 weeman1337

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Sanitise upload filename e-alfred/ocdownloader
2 participants
@weeman1337 @GAS85