Nextcloud

Note!!! Приглядитесь к репортам на h1, некоторым вулнам не назначали cve

1.Recon

find version

https://target/status.php

find api

https://target/ocs-provider/

Nextcloud Detection

nuclei -u target -t nextcloud-detect.yaml

2.Exploit

brureforce api

https://target/public.php/webdav
https://target/remote.php/dav/files/USERNAME/

Nextcloud Exposed Installation

nuclei -u target -t nextcloud-install.yaml

3. Recommend

disable the web-based upgrader simply set 'upgrade.disable-web' => true, in nextcloud’s config.php with this result:

4. Reports

Nextcloud program at HackerOne

  1. Code injection possible with malformed Nextcloud Talk chat commands to Nextcloud - 314 upvotes, $3000

  2. User can delete data in shared folders he's not autorized to access to Nextcloud - 165 upvotes, $250

  3. Access to all files of remote user through shared file to Nextcloud - 149 upvotes, $750

  4. Attacker can obtain write access to any federated share/public link to Nextcloud - 135 upvotes, $4000

  5. Missing ownership check on remote wipe endpoint to Nextcloud - 127 upvotes, $500

  6. Remote Code Execution via Extract App Plugin to Nextcloud - 121 upvotes, $0

  7. Re-Sharing allows increase of privileges to Nextcloud - 90 upvotes, $750

  8. No rate limiting for confirmation email lead to huge Mass mailings to Nextcloud - 78 upvotes, $0

  9. User deletion is not handled properly everywhere to Nextcloud - 75 upvotes, $1000

  10. Arbitrary SQL command injection to Nextcloud - 73 upvotes, $500

  11. Nextcloud Desktop Client RCE via malicious URI schemes to Nextcloud - 72 upvotes, $1000

  12. File-drop content is visible through the gallery app to Nextcloud - 68 upvotes, $500

  13. Arbitrary code execution in desktop client via OpenSSL config to Nextcloud - 59 upvotes, $100

  14. Extremly simple way to bypass Nextcloud-Client PIN/Fingerprint lock to Nextcloud - 56 upvotes, $100

  15. Default Nextcloud Server and Android Client leak sharee searches to Nextcloud to Nextcloud - 53 upvotes, $750

  16. Clear text storage of proxy parameters and passwords to Nextcloud - 53 upvotes, $250

  17. Stored XSS in collabora via user name to Nextcloud - 48 upvotes, $0

  18. Two-factor authentication enforcement bypass to Nextcloud - 46 upvotes, $750

  19. SSL certificate not validated when registering with a provider to Nextcloud - 42 upvotes, $300

  20. Memory Leak in OCUtil.dll library in Desktop client can lead to DoS to Nextcloud - 40 upvotes, $100

  21. [Reflected XSS] In Request URL to Nextcloud - 37 upvotes, $50

  22. Remote code execution via path traversal in Zip extraction in the Extract app to Nextcloud - 37 upvotes, $0

  23. http://www.nextcloud.com/wp-includes/js/swfupload/swfupload.swf allows open redirect / site defacement to Nextcloud - 37 upvotes, $0

  24. Scoped apptokens can be changed by that very apptoken to Nextcloud - 36 upvotes, $1000

  25. Expired reshare links allow access to all files in share to Nextcloud - 36 upvotes, $400

  26. No session logout after changing password & alsoandroid sessions not shown in sessions list so they can be deleted to Nextcloud - 35 upvotes, $50

  27. Cross site scripting - XSRF Token to Nextcloud - 32 upvotes, $0

  28. 2FA Session not expires after the password reset to Nextcloud - 31 upvotes, $50

  29. SQL Injection found in NextCloud Android App Content Provider to Nextcloud - 30 upvotes, $150

  30. Group admins can remove arbitrary data from "data" directory (including admin data) to Nextcloud - 30 upvotes, $150

  31. Passwords being stored as plain text in logging to Nextcloud - 30 upvotes, $0

  32. I am because bug to Nextcloud - 29 upvotes, $0

  33. Reflected XSS in error pages (NC-SA-2017-008) to Nextcloud - 28 upvotes, $450

  34. Code injection in macOS Desktop Client to Nextcloud - 28 upvotes, $250

  35. Database error shown to the user when using a long guest name in richdocuments to Nextcloud - 28 upvotes, $0

  36. CSRF vulnerability that allows an attacker to modify encryption settings to Nextcloud - 27 upvotes, $0

  37. Persistent XSS via filename in projects to Nextcloud - 23 upvotes, $150

  38. Blind Stored XSS on iOS App due to Unsanitized Webview to Nextcloud - 23 upvotes, $100

  39. Leak arbitrary file under nextcloud android client privacy directory to Nextcloud - 23 upvotes, $100

  40. Bypass of privacy filter / tracking pixel blocker to Nextcloud - 23 upvotes, $100

refrencess

PreviousMS ExchangeNextSMTP

Last updated