Hello
I want to know something. When I install nextcloud and log in, there are countless base64 Strings with really important settings how I configured my Installation. Is this supposed to be? They are in hidden input filelds
Stuff like this:
removed
1 Like
and what’s your problem?
arent theese strings a huge security problem in terms of enumeration processes?
Yes, that is the way it works… BUT, those fileds are only “visible” for your browser, if you are logged in with a valid account. So it is definitively NOT a good idea, to expose those values here world readable.
I could read a lot of interna, a lot of websockets for notify-push and backend-servers from "Kreisverwaltung <somewhere>", that should definitively not be exposed here in public.
Please edit your post and remove that sensitive data in your own interest.
Viel Glück,
ernolf
Nope they are visible from the beginning on. I am not logged in nor was i ever registered. I just installed nextcloud and when I got to the login page I saw theese hidden fields conaining the base64 strings
OK, you are right. That is why the
<input type="hidden" id="initial-state-core-loginUsername" value="IiI=">
value is "IiI=", which coresponds to ""
But even the domain-name is not meant to be placed here on the forum.
If this is the state of not loged in, then there are no security risks (I did not decode it all) but because of your privacy, I thought it would be better to remove from here.
Much luck.
ernolf
Which settings/fields in particular?
To give you a more clear understanding from what is visible on your (or any other) nextcloud, without being logged in, I wrote this little scan script (need jq: apt-get jq):
Copy this code into a file:
#!/bin/bash
cloudURL=${1%/}
me=nc-serverinfo
function tmpfile(){ mktemp -t ${me}_XXXXXXXXXXXX; }
trap "rm -f /tmp/${me}_*" INT TERM EXIT
curl_call(){ curl -sA "Nextcloud ServerVersion Scan" -H "Accept-Language: ${LANG%.*}" $1 $cloudURL$2 > $3; }
curl_call -L / ${htmlfile:=$(tmpfile)}
curl_call -I /status.php ${headerfile:=$(tmpfile)}
curl_call -L /status.php ${statusfile:=$(tmpfile)}
line="================================================================================"
echo $line
echo "Header Informations:"
echo "instanceid: $(grep -i 'set-cookie: [[:alnum:]]\{12\}=' $headerfile| awk -F'[ =]' '{print $2}' | sort -u)"
grep -iE "^(date|server|access|x)" $headerfile
echo $line
echo "Server Status (status.php): $(jq . $statusfile)"
echo $line
for id in $(grep -oP '<input type="hidden" id="\K[^"]+' $htmlfile|awk '!a[$0]++'); do
echo -e "$id: $(grep -oP 'id="'$id'" value="\K[^"]+' $htmlfile|base64 -d|jq)\n$line"
done
exit 0
name it nc-serverinfo and make it executable:
chmod +x (/path/to/)nc-serverinfo
Now call it like this in console:
/path/to/nc-serverinfo https://cloudurl.tld
You can redirect it into a file, because it can be quiet a lot of information
It is only information that is important for client-software, no secret data with the knowledge of which one could cause damage or intruse the system
I hope this brings clarity,
much luck
1 Like