search

e-alfred / ocdownloader

ocDownloader - AGPL-licensed multi-protocol download manager for Nextcloud using ARIA2, youtube-dl and Curl (supports Youtube, BitTorrent, HTTP, FTP)
https://github.com/e-alfred/ocdownloader
GNU Affero General Public License v3.0
375 stars 85 forks source link

[Security] Critical Security issue - how to report? #221

Closed GAS85 closed 2 years ago

GAS85 commented 3 years ago

I have a security vulnerability to report. How would you like me to report it? Please provide the appropriate contact information or instructions for where to report it.

SHA of Issue text file. SHA256:1bd7d43dda7ad5031455a52438dfb9b6e1ac3f94167adb83725d5b9d1a570deb

weeman1337 commented 3 years ago

Hi @GAS85 . You can send it via mail to me mail@michael-weimann.eu .

GAS85 commented 2 years ago

Any Update here? MR is still open and not a "secret" anymore.

GAS85 commented 2 years ago

[Security] User is able to download files outside of his Download folder, modify files by other users and replace System Files

## Escaping from the Downloads folder ### Steps to reproduce 1. Open UI, by using CURL, put in URL any file you needed, e.g. for POC http://speedtest.wdc01.softlayer.com/downloads/test100.zip 2. In Section "HTTP output name" put e.g. `../../../test100.zip` and hit download 3. Via SSH check that file was uploaded to the "root" of data directory ```shell ls -la /var/nextcloud/data/test* -rw-r--r-- 1 www-data www-data 104874307 Sep 29 16:20 /var/nextcloud/data/test100.zip ``` 4. Potentially you can modify `.htaccess` file by this action, as User is not limited to the file name. ## Replacing Files of other users or Add new files ### Steps to reproduce 1. USER A - open UI, by using CURL, put in URL any file you needed, e.g. http://speedtest.wdc01.softlayer.com/downloads/test100.zip 2. In Section "HTTP output name" put e.g. `../../../UserB/files/test100.zip` 3. Check that file exist and has some content: ```shell ls -la /var/nextcloud/data/UserB/files/test* && md5sum /var/nextcloud/data/UserB/files/test* -rw-r--r-- 1 www-data www-data 13 Sep 29 16:26 /var/nextcloud/data/UserB/files/test100.zip e91b1d1a6b802538298fcfbd2a80ce59 /var/nextcloud/data/UserB/files/test100.zip ``` 4. Hit Download 5. Via SSH check that file was uploaded to the User B folder and Replaced content ```shell ls -la /var/nextcloud/data/UserB/files/test* && md5sum /var/nextcloud/data/UserB/files/test* -rw-r--r-- 1 www-data www-data 104874307 Sep 29 16:39 /var/nextcloud/data/UserB/files/test100.zip d14dd5adbf56a6a1a29ec0450addbca4 /var/nextcloud/data/UserB/files/test100.zip ``` User A was able to completely replace content of file of User B. Potentially you can modify `.htaccess` file by this action. ### Expected behaviour It must be ensure that all Sections parsed to command are checked against folder change and passing additional parameters. ### Actual behaviour Any User can modify all Files on a Host System that are accessible to the web server user, e.g. `www-data`