Hi there we run Acunetix scan in our Nextcloud β17.0.2β and we got the below issues:
Password field submitted using GET method in the below items:
/index.php/apps/calendar/
/index.php/apps/files
/index.php/apps/files/
/index.php/apps/tasks/
/index.php/settings/admin
/index.php/settings/apps
/index.php/settings/help
/index.php/settings/user
/index.php/settings/users
/index.php/settings/users/admin
Also: HTML form without CSRF protection
in many pages examples:
/core/doc/user/
/core/doc/user/contents.html
/core/doc/user/external_storage/
/core/doc/user/pim/sync_thunderbird.html
/core/doc/user/search.html
/core/doc/user/session_management.html
/core/doc/user/user_2fa.html
/core/doc/user/userpreferences.
and many moreβ¦
Is this real? And is there any workaround or fix for them?
Our deployment details are:
RHEL 8.1
Operating system: Linux 4.18.0-147.0.3.el8_1.x86_64 #1 SMP Mon Nov 11 12:58:36 UTC 2019 x86_64
Webserver: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1c (fpm-fcgi)
Database: mysql 10.3.17
PHP version: 7.2.11
Nextcloud version: 17.0.2 - 17.0.2.1