Date: Thu, 12 Jan 2017 23:51:29 +0100
From: Fabian Fingerle <fabian@...ensalat.eu>
To: fulldisclosure@...lists.org
Subject: [FD] nextcloud/owncloud user enumeration vulnerbility

nextcloud/owncloud user enumeration vulnerbility

Severity: MEDIUM

Discovered by:
Fabian Fingerle (@otih__)
https://fabian-fingerle.de

nextcloud/owncloud:
Nextcloud is functionally very similar to the widely used Dropbox, with
the primary functional difference being that Nextcloud is free and
open-source, and thereby allowing anyone to install and operate it
without charge on a private server. In contrast to proprietary services
like Dropbox, the open architecture allows adding additional
functionality to the server in form of so-called applications.
Nextcloud is an actively maintained fork of ownCloud. (wikipedia)

Desc:
An independent research uncovered a user enumeration vulnerability in
the password reset form. Response is revealing that account does
or does not exist. 
Even possible that an attacker is able to determine encrypted user
accounts, but has not been tested yet.

Patching:
vulnerbility reported 2016-03-26 and marked as enhancement
https://github.com/owncloud/core/issues/23595

Exploit:
$ pypy ex.py cloud.isp.com user.txt 
[+] owncloud / nextcloud user enumeration vulnerbility
[-]
[+] Collected all HTTP Cookie and Anti-CSRF-information
[-]
[+] user test is valid
[+] user customer is valid
[+] user n3rD is valid
[+] user h4xx0r is valid
[+] user admin is valid

For updates follow:

https://twitter.com/otih__

I'll send another email to the list once the trivial script is
published.

-- 
Regards,
Fabian Fingerle - aka otih
https://fabian-fingerle.de
t: @otih__

Content of type "application/pgp-signature" skipped


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists