How to prevent showing core-common.js from web?

rajibprince · June 13, 2023, 8:37am

How to prevent showing core-common.js in from web?

devnull · June 13, 2023, 9:23am

The file is a client side Nextcloud Javascript software and is needed. You can read here. What is your goal? Why do you want to prevent showing from web?

rajibprince · June 13, 2023, 9:44am

Before going live , Security team assessed the system and found this:

S/N	Title	Description	Impact/Evidence	Severity Level	Solution
1	Vulnerable JS Library	The identified library bootstrap, version 3.3.5 is vulnerable.	https://10.5.80.139/websftp/dist/core-common.js?v=704251bc-28	High	Please upgrade to the latest version of bootstrap.
2	Application Error Disclosure	This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.	https://10.5.80.139/websftp/dist/core-common.js?v=704251bc-28	Medium	Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.

They are suggesting the above

devnull · June 13, 2023, 10:03am

For security please read Nextcloud security.

Which Nextcloud version do you use? Find it in config/config.php or access https://10.5.80.139/status.php. Read issue #33481. Read also Maintenance and Release Schedule.

rajibprince · June 13, 2023, 10:11am

Thanks for your kind support. We installed the 25.0.2 version. After recently we have updated it to 26.0.2.

szaimen · June 13, 2023, 10:13am

Looks like Split Bootstrap version reference in Tooltip .scss · nextcloud/nextcloud-vue@bf1d674 · GitHub

devnull · June 13, 2023, 10:17am

Yes. I checked the file core-commons.js from Nextcloud 26.0.2 with https://www.virustotal.com and i get no problems. I also think - if your Nextcloud version is supported - a false positive.

I would rather rely on Nextcloud security and Nextcloud’s integrity check than on any virus scanner. If the software passes the integrity check there is no virus - or all Nextcloud instances have got the same virus. Do you have a virus scanner on your mobile phones e.g. Business iPhones? It is the same. The apps are checked from the software maintainer.

rajibprince · June 13, 2023, 10:28am

Okay, this is only a bad comment(v3.5.5),right? if so, which version is used in 26.0.2 version? is there anyway to remove it from the comment?