Skip to content

fix(security): OC10-75 - restrict AppConfigController read methods to full admins only#41550

Open
DeepDiver1975 wants to merge 4 commits into
masterfrom
fix/oc10-75-appconfig-subadmin-privilege-escalation
Open

fix(security): OC10-75 - restrict AppConfigController read methods to full admins only#41550
DeepDiver1975 wants to merge 4 commits into
masterfrom
fix/oc10-75-appconfig-subadmin-privilege-escalation

Conversation

@DeepDiver1975
Copy link
Copy Markdown
Member

@DeepDiver1975 DeepDiver1975 commented May 18, 2026

Summary

  • Security fix (CVSS 7.7): Removes @NoAdminRequired from getApps(), getKeys(), and getValue() in AppConfigController so the AppFramework's AdminMiddleware blocks Subadmin users from reading all oc_appconfig values (SMTP passwords, LDAP bind credentials, encryption master keys, etc.)
  • Collateral fix: Replaces a now-blocked OC.AppConfig.getValue AJAX call in settings/js/users/users.js with a synchronous DOM read of the server-rendered checkbox state — preserving correct UI behavior on the Subadmin-accessible /settings/users page
  • Updated the AppConfigController class docblock to accurately reflect that all methods now require full admin privileges

Details

The three read endpoints were annotated with @NoAdminRequired, which caused SecurityMiddleware to skip the admin check. Subadmins could exploit this to enumerate all app config keys and read any value — including credentials stored by SMTP, LDAP, OAuth, and encryption apps.

Write methods (setValue, deleteKey, deleteApp) were already admin-only. This PR makes the read methods consistent with them.

A cross-repo search of the entire ownCloud GitHub org found no other apps using the affected endpoints from Subadmin accessible UI, with one exception fixed here.

Reported by Pablo Giovanni. Confirmed on ownCloud 10.14.0 and 10.16.1.

Fixes: OC10-75

Test Plan

  • Log in as Subadmin → GET /index.php/settings/appconfig → HTTP 403
  • Log in as full admin → GET /index.php/settings/appconfig → HTTP 200
  • Log in as Subadmin → /settings/users → password/email field toggles correctly on page load
  • Log in as full admin → /settings/users → same behavior

@DeepDiver1975
fix(security): restrict AppConfigController read methods to full admi…
c3774de 
…ns only

OC10-75: Subadmins could read all oc_appconfig values including SMTP
passwords and LDAP credentials via getApps/getKeys/getValue endpoints.
Remove @NoAdminRequired so AdminMiddleware enforces full-admin-only access,
consistent with the write methods.

CVSS: 7.7
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
@DeepDiver1975
fix: replace OC.AppConfig.getValue in users.js with server-rendered c…
da0fe97 
…heckbox state

The umgmt_set_password value is already rendered server-side into
#CheckBoxPasswordOnUserCreate's checked attribute. Remove the redundant
AJAX call which would now return 403 for Subadmins after the security fix.

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
@DeepDiver1975 DeepDiver1975 requested a review from jvillafanez May 18, 2026 21:29
@update-docs
Copy link
Copy Markdown

update-docs Bot commented May 18, 2026

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

DeepDiver1975 and others added 2 commits May 19, 2026 00:39
@DeepDiver1975 @claude
docs: add entry for OC10-75 AppConfigController privilege escalation fix
91fd466 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
@DeepDiver1975 @claude
docs: add PR link for OC10-75
d00ecca 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
@DeepDiver1975 DeepDiver1975 force-pushed the fix/oc10-75-appconfig-subadmin-privilege-escalation branch from 288cb95 to d00ecca Compare May 18, 2026 22:40
jvillafanez
jvillafanez approved these changes May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jvillafanez jvillafanez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to check how subadmins are impacted in the web UI. There might be broken operations.

@DeepDiver1975
Copy link
Copy Markdown
Member Author

DeepDiver1975 commented May 19, 2026

We need to check how subadmins are impacted in the web UI. There might be broken operations.

Based on the analysis on where these endpoints are called - only users.js was affected.

But please feel free to test this as well - an additional pair of eyes is much appreciated 🙏

@jvillafanez
Copy link
Copy Markdown
Member

jvillafanez commented May 19, 2026

Screenshot from 2026-05-19 15-16-17

The checkboxes of the settings (bottom left corner) behaves weirdly for subadmins. The request returns with a 403, but both the checkbox and the affected field act as if it was successful. Of course, the settings aren't saved, so reloading the page will revert the page back.

Side note, the subdamin can't change the groups of the users he's managing. There have been changes in that regard, so I'm not sure about the correct state. It could be an expected behavior.

@DeepDiver1975
Copy link
Copy Markdown
Member Author

DeepDiver1975 commented May 20, 2026

The checkboxes of the settings (bottom left corner) behaves weirdly for subadmins. The request returns with a 403, but both the checkbox and the affected field act as if it was successful. Of course, the settings aren't saved, so reloading the page will revert the page back.

I guess not saving the state is acceptable as side effect of this sec fix. The UI behaves correct ...

@DeepDiver1975
Copy link
Copy Markdown
Member Author

DeepDiver1975 commented May 20, 2026

Side note, the subdamin can't change the groups of the users he's managing. There have been changes in that regard, so I'm not sure about the correct state. It could be an expected behavior.

no idea when (if?) this changed - never really using subadmin ....

@jvillafanez
Copy link
Copy Markdown
Member

jvillafanez commented May 20, 2026

Side note, the subdamin can't change the groups of the users he's managing. There have been changes in that regard, so I'm not sure about the correct state. It could be an expected behavior.

This seems to be expected (https://github.com/owncloud/core/blob/master/settings/js/users/users.js#L433-L438). Basically, for the subdamin, we require the users to be part of a group controlled by the subadmin. If there is only one group, it won't be possible to remove the user from that group, but if there are multiple groups the subadmin can move the users around those groups.
It seems to be a client-only check. The server allows removing the user. from the group.
It might be better to show the group as disabled if we can't interact with it, but I guess it's out of the scope at the moment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jvillafanez jvillafanez jvillafanez approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DeepDiver1975 @jvillafanez