Nextcloud releases security scanner to help protect private clouds

Did you try to call them and ask for IPv4? I just moved my server from IPv4 only provider to IPv6+DS-Lite, found out about all the problems related to it, called them and instantly got switched to dual stack :smiley:.

Not so far. In their FAQ they refer to a company which sells routers with configured IPv4 tunnel. Thank you for the hint.

The results don’t match for many clients i support. Neither the shown URL nor the domain host_prefix fit.
Most results are obsolete, so my question is how to force a rescan?
If I press the icon for rescan and wait for more than the suggested 5 minutes nothing changed since days.
I would really appreciate any kind of assistance. Thanks in advance. Carsten

After the rescanning, you need a reload (strg + F5)…

By my first try, the Url wich should be https://mycloudsname.com was shown as https://mycloudsname.com/owncloud

In my apache conf I had
Alias /owncloud “pathToTheCloudDir”

After commenting this entry out, the test showed me the right url…

So I think the test seeks for “known” urls and the first of it is shown, also if this is not the url of the cloud…

1 Like

Hi Soko, unfortunately STRG+F5 doesn’t solve this behaviour. Nextcloud is based on NGINX and doesn’t point to any subdir since weeks. NGINX and REDIS were restarted several times … what might help?

Yes, I can reproduce your issue, don’t have a solution.

Trying with https://nc.c-rieger.de/login makes a new scan and ends with no Installation found error…

Scan failed! The scan for the specified domain failed. Either no Nextcloud or ownCloud can be found there or you tried to scan too many servers.

Think nextcloud have to delete the scan from 17/02/20 out of their cache…

@LukasReschke ???

Thx for reproducing and assistance! Hopefully waiting for @LukasReschke :wink:

@LukasReschke: I can’t scan further URLs regarding this instance neither:
e.g. https://nextcloud.dedyn.io

Suggestion:
I set X-Frame-Options to ALLOW-FROM because of Collabora - maybe the scanner could report the returned header instead of simply complaining that it isn’t set to SAMEORIGIN?

Great idea, thanks for this!

I’ve made the tweaks and want to rescan, but its remembering me :frowning:
How can I rescan please?

Is their an option to clear cache the same as the ssl test website :slight_smile:

Edit: Requested rescan and waited for a while, seemed more than 5 mins, but it didn’t seem to rescan in front of my eyes but in the background? Maybe I am wrong there, but the rescan did occur and an A+

Hopefully there will be some reminders in the gui to rescan if it hasn’t been done for x period of time, so I don’t forget to keep checking it in the future :slight_smile:

Thanks

I solved the rescan issue by disabling geoip in NGINX.
After having restarted NGINX and pressed the icon for rescan, the new results were shown after few minutes.

Nextcloud’s scan-server seems to be located out of germany and out of US, that’s why it failed for me regarding geoip.

It solved my problem too. I don’t know why it did not work last time when I changed geoip to “default yes;”.

sorry, the rescan only happens after about 8 hours I believe… It is a resource usage limitation.

Ok sure, but in my case the rescan seemed to happen automatically in the background in 10 minutes.

Likely I was just lucky.

Thanks :slight_smile:

well, yeah, or maybe I’m wrong :wink:

I understand that this scanner works by querying domain.com/status.php (and also searching for it in a couple of other locations). I applaud any efforts to increase security, as a large portion of my day job is IT security and this is a great initiative. However I have a few questions.

  1. The idea of having a /status.php page which can be queried by anyone un-nerves me a little. And in fact I’ve blocked public access to it on my server for now. Is there a better way of providing the information to the scanner. A POST request from the nextcloud server to the scanner could provide the same information and would not be leaking information. You could simply provide a Scan button in the admin interface, or a regular cron job.

  2. If status.php is required by clients (as suggested elsewhere), should it not be visible only after authentication?

  3. As well as the version info provided by status.php is there any other info assessed by the scan service to give the grade ( I’m guessing the presence of SSL is one element, perhaps some of the SSL parameters as well … and …what else?). Maybe we could figure out how to get those back to the scan server too.

1 Like

Asked the same thing and it essentially boils down to public APIs. At some point you need to know which APIs to access. You can ofc run requests against all your endpoints and see if they 404 but that’s inefficient. You can ofc use a version in your API url or pass a version token. The issue with that is that it’s a pain for forwards compatibility because you never know which new features you can use from an API standpoint.

To solve that you could add an API call that tells you which API subversion you are dealing with and now you have arrived at the current status :smiley:

Apart from that the version is not really an issue since automated attacks usually just brute force all vulnerabilities. Personally I’d also ignore the status.php since its more work to parse the version than just to try all known vulnerabilities starting with the latest one

Hi Folks…
I registered an automatic rescan every 8 hours.
Where is the hint on the scanner page,
your URL saved for automatic scan?
I want to delete my URL from scan.
Is that possible?

To remove your results please contact cloud-security-scan(at)nextcloud(dot)com.

Nice avatar by the way :wink:

I have my firewall locked down pretty tight and the scanner cannot seem to access my Nextcloud instance. This is likely due to the ip addresses used by the scanner being blocked by my server. Is there any chance you could post the ip addresses that the scanner is using or even which hosting provider it would be coming from so that I could unblock it.
Thanks.

Shouldn’t this be “Nextcloud 10.0.3”?

Rating
A

Running Nextcloud 9.1.3.2

NOT on latest patch level

Major version still supported

Scanned at 2017-03-26 09:10:00