Thanks to Mr. vigov5 (or you can call him v5 but not vigov) I was exposed to 2 cool bugs.
- Subdomain validation bypass in oauth2: Patch is here https://github.com/owncloud/oauth2/pull/359/files
- Nah, oauth2 is "hard".
- WebDAV Api Authentication Bypass using Pre-Signed URLs: Patch is here https://github.com/owncloud/core/pull/40962/files
- Affected core 10.6.0 – 10.13.0 [x]
At the time I write this readme, there is instruction on setting owncloud with docker at here
Actually I used
docker run -p 8080:8080 -e OWNCLOUD_TRUSTED_DOMAINS=<domain or ip public of owncloud> -it owncloud/server:10.11.0By default, signingKey for an user is empty. That's why they added a check in lib/private/Security/SignedUrl/Verifier.php src
if ($signingKey === '') {
\OC::$server->getLogger()->error("No signing key available for the user $urlCredential. Access via pre-signed URL denied.", ['app' => 'signed-url']);
return false;
}Construct a valid signed for empty signing key is not an easy task. (Many) thank chatgpt for not wasting my day.
You can run dav.py with python3 but before that, don't forget install deps in requirements.txt and don't ask me how to use it :)
How about try this:
python3 dav.py -u admin -t http://google.com/Update on 2023/12/05: It has been proved that RCE is possible (*)! check out Ambionics' blog from cfreal_
*: conditions apply, but PATCH NOW
For educational and research purposes only. Use at your own risk.