Hi everydoby
we have scanned our nextcloud installation and found some vulnerabilities. I expect to find some help on these issues. they are mostly information leak problems. I want to prevent/disable these issues…
1- nextcloud version can easily be found by examining index.php source.
2- when we make a request /apps/lookup_server_connector, instead of deny access, we get redirect (http 303) so this manifests our directory structure.
3- some files can be downloaded without authentication such as
nextcloud/apps/admin_audit/appinfo/info.xml
nextcloud/apps/cloud_federation_api/appinfo/info.xml
nextcloud/core/templates/filetemplates/template.odt
4- some pages, although not downloaded, returns http 200 which reveals that they exist on our system, such as
status.php (and many more)
5- how can I disable webdav service safely. what is it used for
6- help pages can be seen without auth. such as
nextcloud/core/doc/user/files/index.html
7- how can I force HSTS (HTTP Strict Transport Security)
Our environment:
NextCloud ver: 20.0.8
OS: RHEL/CentOS
Apache: 2.4.6
I think these issues are mostly related with apache. so here our our httpd.conf file
<Directory />
AllowOverride none
Require all denied
</Directory>
<Directory "/var/www">
AllowOverride All
# Allow open access:
Require all granted
</Directory>
# Further relax access to the default document root:
<Directory "/var/www/html/nextcloud">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
TIA…