lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 12 Jan 2017 23:51:29 +0100
From: Fabian Fingerle <fabian@...ensalat.eu>
To: fulldisclosure@...lists.org
Subject: [FD] nextcloud/owncloud user enumeration vulnerbility

nextcloud/owncloud user enumeration vulnerbility

Severity: MEDIUM

Discovered by:
Fabian Fingerle (@otih__)
https://fabian-fingerle.de

nextcloud/owncloud:
Nextcloud is functionally very similar to the widely used Dropbox, with
the primary functional difference being that Nextcloud is free and
open-source, and thereby allowing anyone to install and operate it
without charge on a private server. In contrast to proprietary services
like Dropbox, the open architecture allows adding additional
functionality to the server in form of so-called applications.
Nextcloud is an actively maintained fork of ownCloud. (wikipedia)

Desc:
An independent research uncovered a user enumeration vulnerability in
the password reset form. Response is revealing that account does
or does not exist. 
Even possible that an attacker is able to determine encrypted user
accounts, but has not been tested yet.

Patching:
vulnerbility reported 2016-03-26 and marked as enhancement
https://github.com/owncloud/core/issues/23595

Exploit:
$ pypy ex.py cloud.isp.com user.txt 
[+] owncloud / nextcloud user enumeration vulnerbility
[-]
[+] Collected all HTTP Cookie and Anti-CSRF-information
[-]
[+] user test is valid
[+] user customer is valid
[+] user n3rD is valid
[+] user h4xx0r is valid
[+] user admin is valid

For updates follow:

https://twitter.com/otih__

I'll send another email to the list once the trivial script is
published.

-- 
Regards,
Fabian Fingerle - aka otih
https://fabian-fingerle.de
t: @otih__

Content of type "application/pgp-signature" skipped


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists