I was informed about “Username disclosure” vulnerability found in OwnCloud 8.1.8, details:
As far as I can tell those URL’s in PoC description won’t work with NextCloud.
NextCloud is a fork of OwnCloud project, so it may have same issue but in different module/method.
Can you share your thoughts in regards to the topic.
It only works if you intercept the connection, they write. So it seems it would only work if you do not connect to owncloud with https?
Thanks for reply.
I assume that attack works only if an attacker has valid user session (or credentials). In case of NextCloud on my company’s premises HTTPS or HTTP makes no difference to the attack vector - JSON which I get from web-app consist only few user details, like my login and name.
Still the vulnerability description seems unclear to me cause, cite: “with all username informations”
What ‘informations’ can obtain an attacker? Just usernames? Or usernames+passwords? Very ambiguous.
I can not confirm or reproduce the issue without testing OwnCloud environment, what may seem as obvious answer to my questions - test it yourself
Perhaps someone already made a research and can shed some light.