Security Disclosure in NextcloudPi Web Panel – Configuration Disclosure via HTML Source

ℹ️ Support 📦 Appliances (Docker, Snappy, VM, NCP, AIO)
1

:puzzle_piece: Summary of the Issue

By inspecting the HTML source code of the NextcloudPi web panel (https://<host>:4443), highly sensitive configuration data is exposed. This includes:

  • The entire config.php content, such as:
    • dbpassword, dbname, dbuser, mail_smtppassword, secret, instanceid, etc.
  • Credentials for SMTP servers
  • Information disclosure from system logs
  • Data loaded in the DOM even if not rendered visibly
  • All of this is exposed in the HTML source, making it retrievable even from browser cache after a session

:unlocked: Why This Is a Problem

This is not about GUI access or privilege escalation — it’s a serious information disclosure issue that:

  • Can occur without root access

  • Can occur without needing to be logged in, if cache is locally available

  • Allows an attacker with access to a user’s system to extract secrets after a legitimate session

  • Exposes confidential credentials and internal system structure, including SMTP credentials that could be used for impersonation or spam

:magnifying_glass_tilted_left: Demonstration: Recovering Sensitive Data via Firefox Cache

A real-world scenario: if someone accessed the panel from Firefox, then walked away or deleted their session, the sensitive HTML remains in local browser cache.

Here’s how it can be retrieved:


# Create a working directory

mkdir firefox_cache && cd firefox_cache

# Copy Firefox cache entries (replace xxxxxx with your actual profile)

cp ~/.cache/mozilla/firefox/xxxxxx.default-release/cache2/entries/* .

# Search for sensitive data

grep -i 'dbpassword\|smtp\|config.php' *

# Or search for config form section

grep -il '<div id="config-box">' *

# View the cached HTML

less <filename>

:hammer_and_wrench: Technical Root Cause

The following PHP lines inject config.php directly into the web interface:

include( '/var/www/nextcloud/config/config.php' );

They appear in:

  • /var/www/ncp-web/index.php
  • /var/www/ncp-web/backups.php

Then, through elements.php, the form renderer outputs values into the page DOM.

:white_check_mark: How to Mitigate It

To prevent this exposure:

  1. Edit both files mentioned above and comment out the include line:

    // include( '/var/www/nextcloud/config/config.php' );

  2. Restart Apache:

    sudo systemctl restart apache2

  3. Clear the browser cache to remove any previously cached HTML.

:shield: Recommendations

  • Avoid using the NCP panel from shared or untrusted systems
  • Whitelist access to the admin panel via IP
  • Regularly purge your browser cache after administrative sessions
  • Monitor any use of SMTP from your domain in case of leaked credentials

:light_bulb: Notes

  • This behavior was confirmed in NextcloudPi version 1.55.3 (November 2024 ISO)
  • Even a clean install reproduces the issue
  • This does not violate access control directly, but constitutes a serious info leak

Let’s work together to raise awareness and secure deployments.

Best regards,
Alex

1 Like
2

I think it was set up that if your NextcloudPi runs in your local network, the normal Nextcloud interface is the only thing that gets redirected from the outside, so the web admin panel is only accessible from within your network.
It is supposed to be used as configuration tool, so it is normal that the configuration is visible and even that it can be changed.

However, they have disabled caching via html-headers:

If you have more ideas how to improve the security, it’s probably best to make suggestions and discuss on the bug tracker:

In such a case, please change all credentials.

1 Like