Advisory Information
Title: Nimbox Unauthenticated Direct Object Reference in Download Function
Date Published: 05/08/2016
Advisory Summary
Nimbox is a secure file sharing, collaboration, backup and cloud storage service for managing, sharing and syncing files across your environment. Their ‘vault.nimbox’ service, used for secure file sharing was found to have an unauthenticated direct object reference vulnerability. Resulting in the ability to download all customer data stored within https://vault.nimbox.co.uk.
Vendor
Nimbox
Affected Software
| Product | Version | Platform | |
| Nimbox | 2.5.0 – 2.5.1.936 | vault.nimbox.co.uk |
Description of Issue
Nimbox’s ‘vault’ application contains a ‘download as a zip’ function, which allows clients to download the entire contents of their share instead of each file individually. This function makes use of three separate parameters when making its call to the API end point.
https://vault.nimbox.co.uk/1/files/share/<client_id>/<folder_id>/zip/<validation _token>
By iterating through each value of client_id and folder_id, it was possible to enumerate valid content and download the corresponding folder.
These requests can be made without first authenticating to the service and all that is required to invoke the download is a validation token, which can be obtained through multiple means (the simplest of which was to create a trial account).
PoC
Further discussion and a proof of concept on this issue will be covered within a future 7 Elements blog post.
Timeline
Reported – 26th July 2016
Accepted – 26st July 2016
Patched – 27th July 2016
Advisory Published – 5th August 2016