Joplin: Joplin Insecure Synchronisation Authentication with Nextcloud Bug
This bug is not as scary as the title suggests. It requires human error and leaks credentials once. Still, this should be changed.
TL;DR
When Syncing with Nextcloud, if the user inputs an "http" webdav url, even if it only supports "https", the Joplin client will send base64 credentials over the wire before the Nextcloud server can correct/redirect to a secure url. Once given a "301" moved response, the client will properly use secure communications. This can lead to unintentionally sending insecure creds over the wire.
Hope that this helps make Joplin more secure! Probably not a very high priority, but should be dealt with eventually.
Environment
Joplin version: 1.0.160 (Not the most recent, but I cant seem to update =T. I think this bug will still work).
Platform: Windows
OS specifics: Windows 10, Windows Server 2016/2019
Nextcloud - 15.0.10
Ubuntu 18
Steps To Reproduce
- Install and configure Nextcloud with a self-signed cert.
- Install joplin as usual
- Goto Synchronisation options and select Nextcloud
- Set the Synchronisation url to the "http" version even though https is supported
http://NEXTCLOUD.whatever/remote.php/webdav/ - Capture the creds as the go on the wire.
Describe what you expected to happen:
10.0.1.2 = Client
10.0.0.15 = Nextcloud
Base64 decoded = joplin:uiyaf897ersyvhiesrynognohefn8oyseruihnvieynrhvih
Yes, that was my username and password for this.
SGUIL Report
Sensor Name: sec-onion-ens192-1
Timestamp: 2019-07-14 01:07:03
Connection ID: .sec-onion-ens192-1_3349
Src IP: 10.0.1.2
Dst IP: 10.0.0.15
Src Port: 6135
Dst Port: 80
OS Fingerprint: 10.0.1.2:6135 - Windows XP/2000 (RFC1323+, w+, tstamp-) [GENERIC]
OS Fingerprint: Signature: [S44:127:1:52:M1358,N,W8,N,N,S:.:Windows:?]
OS Fingerprint: -> 10.0.0.15:80 (distance 1, link: unknown-1398)
SRC: MKCOL /nextcloud/remote.php/webdav/Joplin/.sync/ HTTP/1.1
SRC: authorization: Basic am9wbGluOnVpeWFmODk3ZXJzeXZoaWVzcnlub2dub2hlZm44b3lzZXJ1aWhudmlleW5yaHZpaA==
SRC: if-none-match: JoplinIgnore-30777
SRC: accept-encoding: gzip,deflate
SRC: user-agent: node-fetch/1.0 (+https://github.com/bitinn/node-fetch)
SRC: connection: close
SRC: accept: */*
SRC: Host: 10.0.0.15
SRC: Content-Length: 0
SRC:
SRC:
DST: HTTP/1.1 301 Moved Permanently
DST: Date: Sun, 14 Jul 2019 01:07:03 GMT
DST: Server: Apache
DST: Location: https://10.0.0.15:443/nextcloud/remote.php/webdav/Joplin/.sync/
DST: Content-Length: 271
DST: Connection: close
DST: Content-Type: text/html; charset=iso-8859-1
DST:
DST: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
DST: <html><head>
DST: <title>301 Moved Permanently</title>
DST: </head><body>
DST: <h1>Moved Permanently</h1>
DST: <p>The document has moved <a href="https://10.0.0.15:443/nextcloud/remote.php/webdav/Joplin/.sync/">here</a>.</p>
DST: </body></html>
DST:
Wireshark Stream
PROPFIND /remote.php/webdav/ HTTP/1.1
depth: 0
authorization: Basic am9wbGluOnVpeWFmODk3ZXJzeXZoaWVzcnlub2dub2hlZm44b3lzZXJ1aWhudmlleW5yaHZpaA==
if-none-match: JoplinIgnore-2515
content-length: 190
accept-encoding: gzip,deflate
user-agent: node-fetch/1.0 (+https://github.com/bitinn/node-fetch)
connection: close
accept: */*
Host: 10.0.0.15
<?xml version="1.0" encoding="UTF-8"?>
<d:propfind xmlns:d="DAV:">
<d:prop xmlns:oc="http://owncloud.org/ns">
<d:getlastmodified/><d:resourcetype/>
</d:prop>
</d:propfind>HTTP/1.1 301 Moved Permanently
Date: Sun, 21 Jul 2019 19:28:39 GMT
Server: Apache
Location: https://10.0.0.15:443/remote.php/webdav/
Content-Length: 248
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://10.0.0.15:443/remote.php/webdav/">here</a>.</p>
</body></html>
Recommendations
- Default to secure communication first, then goto http.
- Have a button forcing users to "opt-in" to the insecure option.
- Do a simple get request at that address before sending the auth to allow nextcloud to give the client the updated secure address.
liamcs98
All 4 comments
Hmm, I'm not sure this is valid.
If someone enters an insecure address, they must know that the data is not encrypted. The fact that the server does force a redirect is another story.
@laurent22 what do you think? should we add a popup or warning, if someone attemps to use http?
tessus
on 7 Aug 2019
I'll definitely let you guys make the decision on how to handle this. A popup sounds like a good option, or another button like the "Ignore TLS certificate errors". Considering I made the mistake (and I tend to care a tad about the security of my notes) made me think others might do the same.
liamcs98
on 7 Aug 2019
Hey there, it looks like there has been no activity on this issue recently. Has the issue been fixed, or does it still require the community's attention? This issue may be closed if no further activity occurs. You may also label this issue as "backlog" and I will leave it open. Thank you for your contributions.
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 5 Nov 2019
Closing this issue after a prolonged period of inactivity. If this issue is still present in the latest release, please feel free to create a new issue with up-to-date information.
stale[bot]
on 12 Nov 2019
Related issues
jmcastagnetto
路
3Comments
jurgenhaas
路
3Comments
xfrose
路
3Comments
Rahulm2310
路
3Comments
GingerPapa
路
3Comments
Most helpful comment
Hmm, I'm not sure this is valid.
If someone enters an insecure address, they must know that the data is not encrypted. The fact that the server does force a redirect is another story.
@laurent22 what do you think? should we add a popup or warning, if someone attemps to use http?