NC 12 Cannot Be Processed By The Script Error

AndyXheli · June 2, 2017, 7:51pm

Anyone seen this before?
Exception: The requested uri(/admin/images/tango.png) cannot be processed by the script ‘/core/templates/404.php’) at /var/www/nextcloud/lib/private/AppFramework/Http/Request.php#729

Lars_M · June 7, 2017, 4:58am

i have the same Error Logs but with different requested uri

Exception: The requested uri(/phpmyadmin) cannot be processed by the script '/core/templates/404.php') at /var/www/vhosts/domain.tld/nextcloud/lib/private/AppFramework/Http/Request.php#729

AndyXheli · June 7, 2017, 3:47pm

I haven’t found a fix yet.

riff · June 8, 2017, 9:58am

same error here with different odd targets …

Exception: The requested uri(/phpMyAdmin/scripts/setup.php) cannot be processed by the script ‘/core/templates/404.php’) at /srv/dev-disk-by-label-Storage/nextcloud/lib/private/AppFramework/Http/Request.php#729

Exception: The requested uri(/pma/scripts/setup.php) cannot be processed by the script ‘/core/templates/404.php’) at /srv/dev-disk-by-label-Storage/nextcloud/lib/private/AppFramework/Http/Request.php#729

Exception: The requested uri(/myadmin/scripts/setup.php) cannot be processed by the script ‘/core/templates/404.php’) at /srv/dev-disk-by-label-Storage/nextcloud/lib/private/AppFramework/Http/Request.php#729

An attempt of an attack?

AndyXheli · June 8, 2017, 3:01pm

@jospoortvliet Do you know anything on this?

jospoortvliet · June 8, 2017, 3:03pm

Pfff, no, when, in what situation does this happen? A bit of context pls

Like, are you trying to feed your cat? Upload a file? Add a comment?

riff · June 8, 2017, 7:51pm

I can’t reproduce these errors in my logfile, they seem to appear randomly.

For testing, I upped files, set up shares, downloaded files, used WebDAV, synced contacts and kalendar with Thunderbird (SoGo) and Android. I use a Linux, a Windows and an Android Client as well.

I’ve been messing around, but nothing triggered these errors …

AndyXheli · June 9, 2017, 4:31am

Just got the error, and I didn’t do any tasks

Exception: The requested uri(/a2billing/common/javascript/misc.js) cannot be processed by the script ‘/core/templates/404.php’) at /var/www/nextcloud/lib/private/AppFramework/Http/Request.php#7

jospoortvliet · June 9, 2017, 8:36am

So these files - /a2billing/common/javascript/misc.js or /phpMyAdmin/scripts/setup.php etc, what are that? Where are those files located? In Nextcloud? On the storage of one of its users? Outside?

The /core/templates/404.php - well, a 404, so I guess something isn’t found…

riff · June 9, 2017, 9:26am

The file /phpMyAdmin/scripts/setup.php is nowhere located on my system, I don’t have phpmyadmin installed.

Odd to see a logfile entry with this pointer …

Same for

/pma/scripts/setup.php
/myadmin/scripts/setup.php

That’s why I suspect an attempt to reach those files within my web root by a possible attacker

AndyXheli · June 9, 2017, 2:25pm

I’m not sure thats what im trying to figure out. But i never had this error when i was on NC11 is started to appear after the update to NC12

riff · June 9, 2017, 7:10pm

Same here, appeared a couple hours after upgrade to version 12.

jospoortvliet · June 10, 2017, 12:03am

@LukasReschke could this be an attack?

Lars_M · June 10, 2017, 4:31pm

I have installed PHpmyadmin but not at these path. I Access it with an other subdomain. Last Access 3days ago .

nachoparker · July 28, 2017, 7:24am

I am also seeing these

Exception: The requested uri(/recordings/) cannot be processed by the script '/core/templates/404.php') at /var/www/nextcloud/lib/private/AppFramework/Http/Request.php#729

Exception: The requested uri(/a2billing/common/javascript/misc.js) cannot be processed by the script '/core/templates/404.php') at /var/www/nextcloud/lib/private/AppFramework/Http/Request.php#729

It does smell bad to me

Maybe an attacker looking for vulnerable stuff? Not from nextcloud, but from asterisk, etc

a2billing looks like it is this

amanusk · August 8, 2017, 7:22am

I have started getting these as well. This look like an attack. It can be recreated by trying to access the main domain and some file. e.g.
mydomain.com/admin/config.php

I would love to know if there is a vulnerability in this, and how to fix it. And/Or stop the error.

nachoparker · August 8, 2017, 12:10pm

Well, it’s hacker kiddies scanning the web for vulnerable instances of software.

Not much we can do about that! Except muting that exception message.

I for one would not do that, in case there is a vulnerability in NC, it could help realize the attack

amanusk · August 9, 2017, 9:46am

I have noticed this usually comes after an ‘untrusted domain’ access directly to the IP.
Trusted domain error. “<SOME_IP>” tried to access using…

I have blocked such access with fail2ban. This seems to stop the kiddies.

alfred · August 9, 2017, 10:14am

Yes, fail2ban and brute force protection are the best bet against this. One step further would be a IPS/IDS like Snort or Suricata for the network as well as OSSEC or AIDE for the server.

tflidd · August 9, 2017, 10:29am

What webserver are you using and how does your configuration look like?

In nginx, stuff like this should only be in the vhost of NC:

location / {
    rewrite ^ /index.php$uri;
}

location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }

If nextcloud is in a subfolder, you should use this configuration: https://docs.nextcloud.com/server/12/admin_manual/installation/nginx.html#nextcloud-in-a-subdir-of-nginx

If you run nextcloud in the mainfolder and you want to run other services in subfolders, you must exclude them from this rewriting.