Nextcloud nessus scan vulnerabilities

Selcuk_Karaca · April 21, 2021, 11:35am

Hi everydoby

we have scanned our nextcloud installation and found some vulnerabilities. I expect to find some help on these issues. they are mostly information leak problems. I want to prevent/disable these issues…

1- nextcloud version can easily be found by examining index.php source.
2- when we make a request /apps/lookup_server_connector, instead of deny access, we get redirect (http 303) so this manifests our directory structure.
3- some files can be downloaded without authentication such as
nextcloud/apps/admin_audit/appinfo/info.xml
nextcloud/apps/cloud_federation_api/appinfo/info.xml
nextcloud/core/templates/filetemplates/template.odt
4- some pages, although not downloaded, returns http 200 which reveals that they exist on our system, such as
status.php (and many more)
5- how can I disable webdav service safely. what is it used for
6- help pages can be seen without auth. such as
nextcloud/core/doc/user/files/index.html
7- how can I force HSTS (HTTP Strict Transport Security)

Our environment:
NextCloud ver: 20.0.8
OS: RHEL/CentOS
Apache: 2.4.6

I think these issues are mostly related with apache. so here our our httpd.conf file

<Directory />
    AllowOverride none
    Require all denied
</Directory>

<Directory "/var/www">
    AllowOverride All
    # Allow open access:
    Require all granted
</Directory>

# Further relax access to the default document root:
<Directory "/var/www/html/nextcloud">

    Options Indexes FollowSymLinks

    AllowOverride All

    Require all granted
</Directory>

TIA…

tflidd · April 21, 2021, 9:07pm

As a user/visitor, you don’t see the real source, just the parsed code. From the parsed code, you can probably guess a version as well. If you Nextcloud is so old and upatched that there are known security issues, an attacker will just try to exploit them.

Files with publicly known code, … well you can write rules to deny direct access

Block them and see what is still working. status.php is used by clients.

It’s used for Nextcloud. Deinstall Nextcloud, shutdown apache? What do you expect?

https://docs.nextcloud.com/server/21/admin_manual/configuration_server/security_setup_warnings.html?the-strict-transport-security-http-header-is-not-configured#the-strict-transport-security-http-header-is-not-configured

Selcuk_Karaca · April 22, 2021, 12:36pm

Thanks.

I am not attacking NC. I am just a newbie on NextCloude (may be too newbie). Trying to understand and fix what security guys insisted on. But I am learning