Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-28643: [Bug]: Name collision of shared folders · Issue #34015 · nextcloud/server

Nextcloud server is an open source home cloud implementation. In affected versions when a recipient receives 2 shares with the same name, while a memory cache is configured, the second share will replace the first one instead of being renamed to {name} (2). It is recommended that the Nextcloud Server is upgraded to 25.0.3 or 24.0.9. Users unable to upgrade should avoid sharing 2 folders with the same name to the same user.

CVE
#sql#web#apache#redis#git#php#ldap#pdf#oauth#auth#postgres#docker

⚠️ This issue respects the following points: ⚠️

  • This is a bug, not a question or a configuration/webserver/proxy issue.
  • This issue is not already reported on Github (I’ve searched it).
  • Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
  • Nextcloud Server is running on 64bit capable CPU, PHP and OS.
  • I agree to follow Nextcloud’s Code of Conduct.

Bug description

When two or more (sending) users share a folder with the same (receiving) user, that receiving user will only see the folder of the latest (sending) user under the “shared” folder, without necessarily being aware of it. The other folders will only reappear if the receiving user renames the folder seen.

The issue was originally raised at https://help.nextcloud.com/t/shared-folder-with-same-name-starts-override-each-other-at-recipient-view/142574/3.

IMHO this is a critical bug, which could pose a major digital security risk that could be exploited to inject malicious files in another user’s folder.

But irrespective of this, users that share their (default) folders should not have to worry about name collisions.

Steps to reproduce

1.Alice shares her “Document” folder with Charly => Charly sees Alice’s “Document” folder
2.Bob shares his “Document” folder with Charly => Charly only sees Bob’s “Document” folder.
3.Mallory shares his “Document” folder, which contains malware with Charly => Charly only sees Mallory’s “Document” folder and may believe this is still Alice’s Document folder.

Expected behavior

Charly should see all three folders: Alice’s, Bob’s and Mallory’s “Document” folders, which may be renamed as "Document (Alice)", "Document (Bob)" and "Document (Mallory)" respectively.

Installation method

Community Docker image

Operating system

Fedora 36

PHP engine version

PHP 8.0

Web server

Apache (supported)

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Enabled

What user-backends are you using?

  • Default user-backend (database)
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Configuration report

{ "system": { "memcache.local": "\\OC\\Memcache\\APCu", "apps_paths": [ { "path": "\/var\/www\/html\/apps", "url": "\/apps", "writable": false }, { "path": "\/var\/www\/html\/custom_apps", "url": "\/custom_apps", "writable": true } ], "memcache.distributed": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "password": "***REMOVED SENSITIVE VALUE***", "port": 6379 }, "overwritehost": "***REMOVED SENSITIVE VALUE***", "overwriteprotocol": "https", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "localhost", “***REMOVED SENSITIVE VALUE***” ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "pgsql", "version": "24.0.4.1", "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "instanceid": "***REMOVED SENSITIVE VALUE***", "loglevel": "2", "log_type": "file", "logfile": "\/var\/www\/html\/data\/nextcloud.log", "log_rotate_size": "10485760", "log.condition": { "apps": [ “admin_audit” ] }, "preview_max_x": "2048", "preview_max_y": "2048", "jpeg_quality": "60", "enabledPreviewProviders": { "1": "OC\\Preview\\Image", "2": "OC\\Preview\\MarkDown", "3": "OC\\Preview\\MP3", "4": "OC\\Preview\\TXT", "5": "OC\\Preview\\OpenDocument", "6": “OC\\Preview\\Movie” }, "enable_previews": true, "upgrade.disable-web": true, "mail_smtpmode": "smtp", "trashbin_retention_obligation": "auto, 30", "versions_retention_obligation": "auto, 30", "activity_expire_days": "30", "simpleSignUpLink.shown": false, "share_folder": "\/Shared", "one-click-instance": true, "one-click-instance.user-limit": 100, "htaccess.RewriteBase": "\/", "files_external_allow_create_new_local": false, "trusted_proxies": “***REMOVED SENSITIVE VALUE***” } }

List of activated Apps

Enabled:

  • accessibility: 1.10.0
  • activity: 2.16.0
  • admin_audit: 1.14.0
  • apporder: 0.15.0
  • bruteforcesettings: 2.4.0
  • calendar: 3.5.0
  • circles: 24.0.1
  • cloud_federation_api: 1.7.0
  • comments: 1.14.0
  • contacts: 4.2.0
  • contactsinteraction: 1.5.0
  • dashboard: 7.4.0
  • dav: 1.22.0
  • deck: 1.7.1
  • encryption: 2.12.0
  • event_update_notification: 1.5.0
  • federatedfilesharing: 1.14.0
  • federation: 1.14.0
  • files: 1.19.0
  • files_external: 1.16.1
  • files_pdfviewer: 2.5.0
  • files_rightclick: 1.3.0
  • files_sharing: 1.16.2
  • files_trashbin: 1.14.0
  • files_versions: 1.17.0
  • files_videoplayer: 1.13.0
  • firstrunwizard: 2.13.0
  • logreader: 2.9.0
  • lookup_server_connector: 1.12.0
  • nextcloud-aio: 0.2.0
  • nextcloud_announcements: 1.13.0
  • notes: 4.5.1
  • notifications: 2.12.0
  • notify_push: 0.4.0
  • oauth2: 1.12.0
  • password_policy: 1.14.0
  • phonetrack: 0.7.0
  • photos: 1.6.0
  • privacy: 1.8.0
  • provisioning_api: 1.14.0
  • recommendations: 1.3.0
  • serverinfo: 1.14.0
  • settings: 1.6.0
  • sharebymail: 1.14.0
  • socialsharing_email: 2.5.0
  • support: 1.7.0
  • survey_client: 1.12.0
  • systemtags: 1.14.0
  • tasks: 0.14.4
  • text: 3.5.1
  • theming: 1.15.0
  • twofactor_backupcodes: 1.13.0
  • twofactor_totp: 6.4.0
  • user_status: 1.4.0
  • viewer: 1.8.0
  • weather_status: 1.4.0
  • workflowengine: 2.6.0 Disabled:
  • cookbook: 0.9.14
  • grauphel
  • socialsharing_diaspora: 2.5.0
  • user_ldap

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907