public webdav endpoint not bruteforce protected

Disclosed: 2021-08-11 09:19:29 By rtod To nextcloud
Low
Vulnerability Details
Again related to https://hackerone.com/reports/1173684 I am having some trouble finding the code. However if you do ``` curl -u "RANDOM1:RANDOM2" -X PROPFIND https://server/public.php/webdav ``` And then check your `oc_bruteforce_attempts` table. You'll see there is no entry registered. ## Impact Low just like on the other report. But should be fixed non the less.
Actions
View on HackerOne
Report Stats
  • Report ID: 1192159
  • State: Closed
  • Substate: resolved
  • Upvotes: 17
Share this report