Session Hijacking in Nextcloud server

nextcloud 29.0.5
vuln: session hijacking
observation:
During the security testing, it was observed that the Nextcloud server is vulnerable to session hijacking. By copying the session cookies from a logged-in browser session and pasting them into another browser, it was possible to bypass the authentication process and gain access to the account without re-entering credentials.

Is there any solution?? any configuration /??

please suggest.

Hi @D_Mandal,

Please read the → manual about user session configuration options ←


Much and good luck,
ernolf

1 Like

This isn’t session hijacking. If you have access to an already logged in browser you already have access.

That said, if you discover a legitimate vulnerability the appropriate channels for reporting are not public channels.[1][2].

[1] https://github.com/nextcloud/server/?tab=security-ov-file#readme
[2] Security in Nextcloud

3 Likes

This “vulnerability” isn’t exclusive to Nextcloud, but to any web application. To midegate this, see: Session Hijacking in Nextcloud server - #2 by ernolf

Or, you could use external identity and authentication providers, which may have some of these settings configured by default and/or offer additional security mechanisms.

However, these solutions do not magically make your web applications more secure, or rather it depends on how they are configured. And they add additional complexity to your setup, which in turn makes them prone to misconfiguration if you don’t know exactly what you’re doing.

Also, as @jtr said, if someone gets local access to a client, for example through malware, there is only so much you can do on the server side, so of course endpoint protection and educating your users is just as important as hardening your servers, or in some cases even more important, as most “hacks” still happen because users install malicious software on their clients, or by simple phishing attacks.

1 Like