Nextcloud Base64


I want to know something. When I install nextcloud and log in, there are countless base64 Strings with really important settings how I configured my Installation. Is this supposed to be? They are in hidden input filelds

hi @Kitsune_Snow welcome to community :handshake:

could you please explain you issue with more details?

Stuff like this:


1 Like

and what’s your problem?

arent theese strings a huge security problem in terms of enumeration processes?

Yes, that is the way it works… BUT, those fileds are only “visible” for your browser, if you are logged in with a valid account. So it is definitively NOT a good idea, to expose those values here world readable.

I could read a lot of interna, a lot of websockets for notify-push and backend-servers from "Kreisverwaltung <somewhere>", that should definitively not be exposed here in public.

Please edit your post and remove that sensitive data in your own interest.

Viel Glück,

Nope they are visible from the beginning on. I am not logged in nor was i ever registered. I just installed nextcloud and when I got to the login page I saw theese hidden fields conaining the base64 strings

OK, you are right. That is why the

<input type="hidden" id="initial-state-core-loginUsername" value="IiI=">

value is "IiI=", which coresponds to ""

But even the domain-name is not meant to be placed here on the forum.
If this is the state of not loged in, then there are no security risks (I did not decode it all) but because of your privacy, I thought it would be better to remove from here.

Much luck.

Which settings/fields in particular?

To give you a more clear understanding from what is visible on your (or any other) nextcloud, without being logged in, I wrote this little scan script (need jq: apt-get jq):

Copy this code into a file:



function tmpfile(){ mktemp -t ${me}_XXXXXXXXXXXX; }
trap "rm -f /tmp/${me}_*" INT TERM EXIT
curl_call(){ curl -sA "Nextcloud ServerVersion Scan" -H "Accept-Language: ${LANG%.*}" $1 $cloudURL$2 > $3; }
curl_call -L / ${htmlfile:=$(tmpfile)}
curl_call -I /status.php ${headerfile:=$(tmpfile)}
curl_call -L /status.php ${statusfile:=$(tmpfile)}
echo $line
echo "Header Informations:"
echo "instanceid: $(grep -i 'set-cookie: [[:alnum:]]\{12\}=' $headerfile| awk -F'[ =]' '{print $2}' | sort -u)"
grep -iE "^(date|server|access|x)" $headerfile
echo $line
echo "Server Status (status.php): $(jq . $statusfile)"
echo $line
for id in $(grep -oP '<input type="hidden" id="\K[^"]+' $htmlfile|awk '!a[$0]++'); do
    echo -e "$id: $(grep -oP 'id="'$id'" value="\K[^"]+' $htmlfile|base64 -d|jq)\n$line"

exit 0

name it nc-serverinfo and make it executable:
chmod +x (/path/to/)nc-serverinfo

Now call it like this in console:

/path/to/nc-serverinfo https://cloudurl.tld

You can redirect it into a file, because it can be quiet a lot of information

It is only information that is important for client-software, no secret data with the knowledge of which one could cause damage or intruse the system

I hope this brings clarity,
much luck

1 Like