I noted that some information like apps and configurations from my installation is available to anyone from the login page embedded in the page code. Is this normal?
I used firefox / edge with private window and opened the developer mode (F12) > inspector tab
There you can find and click to expand this line:
<script nonce=""> ... </script>
Among other things, there is info like this line:
var _oc_appswebroots={"bruteforcesettings":"/apps/bruteforcesettings","calendar":"/apps/calendar","checksum":"/apps/checksum","cloud_federation_api":"/apps/cloud_federation_api","dashboard":"/apps/dashboard","dav":"/apps/dav","deck":"/apps/deck","federatedfilesharing":"/apps/federatedfilesharing","files":"/apps/files","files_external":"/apps/files_external","files_pdfviewer":"/apps/files_pdfviewer","files_rightclick":"/apps/files_rightclick","files_sharing":"/apps/files_sharing","files_trashbin":"/apps/files_trashbin","files_versions":"/apps/files_versions","groupfolders":"/apps/groupfolders","logreader":"/apps/logreader","lookup_server_connector":"/apps/lookup_server_connector","notifications":"/apps/notifications","oauth2":"/apps/oauth2","password_policy":"/apps/password_policy","passwords":"/apps/passwords","photos":"/apps/photos","provisioning_api":"/apps/provisioning_api","recommendations":"/apps/recommendations","related_resources":"/apps/related_resources","serverinfo":"/apps/serverinfo","settings":"/apps/settings","spreed":"/apps/spreed","suspicious_login":"/apps/suspicious_login","systemtags":"/apps/systemtags","tasks":"/apps/tasks","text":"/apps/text","theming":"/apps/theming","twofactor_backupcodes":"/apps/twofactor_backupcodes","twofactor_totp":"/apps/twofactor_totp","updatenotification":"/apps/updatenotification","viewer":"/apps/viewer","workflow_ocr":"/apps/workflow_ocr","workflow_script":"/apps/workflow_script","workflowengine":"/apps/workflowengine"};
And also this:
var oc_appconfig={"core":{"defaultExpireDateEnabled":true,"defaultExpireDate":31,"defaultExpireDateEnforced":false,"enforcePasswordForPublicLink":false,"enableLinkPasswordByDefault":false,"sharingDisabledForUser":false,"resharingAllowed":true,"remoteShareAllowed":true,"federatedCloudShareDoc":"https:\/\/docs.nextcloud.com\/server\/26\/go.php?to=user-sharing-federated","allowGroupSharing":true,"defaultInternalExpireDateEnabled":false,"defaultInternalExpireDate":null,"defaultInternalExpireDateEnforced":null,"defaultRemoteExpireDateEnabled":false,"defaultRemoteExpireDate":null,"defaultRemoteExpireDateEnforced":null},"files":{"max_chunk_size":10485760}};
This made me curious: aren’t app list and configs supposed to be confidential? Also, these seem quite valuable for someone trying to break in (app-specific attack).
Nextcloud 26.0.3, Ubuntu 22, Apache2, PHP8.1, x64 home server installation.
Just to clarify, I have A+ in nextcloud scan and A+ in SSL Labs