Security Scan Error: INVALID_HASH

ℹ️ Support
1

Operating system and version: Cloudlinux 7.9
Apache or nginx version: Apache 2.4.55
PHP version : 8.1
Nextcloud Hub 3: 25.0.3
Connecting using web browser (Chrome).

New setup. Ran the NextCloud Security Scan.

Log:

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- core
	- INVALID_HASH
		- .htaccess
		- .user.ini

Raw output
==========
Array
(
    [core] => Array
        (
            [INVALID_HASH] => Array
                (
                    [.htaccess] => Array
                        (
                            [expected] => d9cab0f077161bf043d6d85f5bcacbdfaf82913968b7706df9cf7e6f98b11af363f3843b455175ae775567916822fec8f6ab95000ba064c71e05c86a02196d95
                            [current] => 17c32c66e7a0eb4048813998f0f0b31f52af5abc00def7e1af3e6a4876546e67ea4dbec8b298d647f16b48e11c6a06ba4ff917ba5063f9411910bb51ec73e677
                        )

                    [.user.ini] => Array
                        (
                            [expected] => 4843b3217e91f8536cb9b52700efb20300290292cf6286f92794d4cec99df286afeb7dd6c91b1be20bc55eda541eef230a5c5e7dcd46c189edd0ed1e80c6d3f5
                            [current] => c5b570f9ea462872e62a275ab75d96ced3b0bd92b50ed77f04aae0ade7d6d87f5187ae9b056f19388bd498f3f8e01d6f11b5b04c80c617cf4374acb5031f8bb2
                        )

                )

        )

)

htaccess file:

      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
      RewriteEngine On
      RewriteCond %{HTTPS} off
      RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
    <IfModule mod_lsapi.c>
      SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
      RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers

    # Avoid doubled headers by unsetting headers in "onsuccess" table,
    # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
    Header onsuccess unset Referrer-Policy
    Header always set Referrer-Policy "no-referrer"

    Header onsuccess unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"

    Header onsuccess unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"

    Header onsuccess unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"

    Header onsuccess unset X-Robots-Tag
    Header always set X-Robots-Tag "none"

    Header onsuccess unset X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"

    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif|png|jpg|ico|wasm|tflite)$">
    Header set Cache-Control "max-age=15778463"
  </FilesMatch>

  <FilesMatch "\.(css|js|svg|gif|png|jpg|ico|wasm|tflite)(\?v=.*)?$">
    Header set Cache-Control "max-age=15778463, immutable"
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>

# PHP 7.x
<IfModule mod_php7.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>

# PHP 8+
<IfModule mod_php.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>

<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddType application/wasm wasm
  AddEncoding gzip svgz
</IfModule>

<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>

<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>

AddDefaultCharset utf-8
Options -Indexes

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php81” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php81 .php .php8 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 //
ErrorDocument 404 //




user init file:

mbstring.func_overload=0
always_populate_raw_post_data=-1
default_charset=‘UTF-8’
output_buffering=0

2

Could you please link your issues together, since you are clearly encountering many, which might be related.

3

Here is the link:

https://help.nextcloud.com/t/failed-to-authenticate-error-when-creating-new-user/155963

4

It is missing almost all of the questions from the template. Can you please add them depending on how you’ve installed Nextcloud with Docker, bare metal, Snap, VM, etc.

5

Nextcloud version (eg, 20.0.5): 25.0.3
Operating system and version (eg, Ubuntu 20.04): Cloudlinus 7.9
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.55
PHP version (eg, 7.4): 8.1

The issue you are facing: I am running a Security Scan and am received an error.

Is this the first time you’ve seen this error? (Y):

Steps to replicate it:

  1. Go to the Administration settings page
  2. Security & set up warnings will launch
  3. I receive a red error that there is an error regarding my setup
  4. I click on the list of “invalid files”
  5. I go to this page: /index.php/settings/integrity/failed
  6. Error log is posted in my earlier post

The output of your Nextcloud log in Admin > Logging:

There is no associated output

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'ocwrisw1ouep',
  'passwordsalt' => 'ahu6FGjh659087GHkkh59igDaEuolKGdrY6',
  'secret' => 'yHfD59fJ6D4S0lKj765fHkGssaMk95G4dsN',
  'trusted_domains' => 
  array (
    0 => 'www.xxx.yyy.com',
    1 => 'xxx.yyy.com',
    2 => 'http://xxx.yyy.com',
    3 => 'https://xxx.yyy.com',
    4 => 'http://www.xxx.yyy.com',
    5 => 'https://www.xxx.yyy.com',
  ),
  'datadirectory' => '/home/zzz/xxx.yyy.com/data',
  'dbtype' => 'mysql',
  'version' => '25.0.3.2',
  'overwrite.cli.url' => 'http://www.xxx.yyy.com',
  'dbname' => 'ddd_xxx',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'ddd_xxx',
  'dbpassword' => '1234567',
  'mysql.utf8mb4' => true,
  'installed' => true,
  'default_phone_region' => 'US',
  'mail_domain' => 'web.com',
  'mail_from_address' => 'user',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
);

The output of your Apache/nginx/system log in /var/log/____:

No access--shared server.

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

Don't see any.
6

Was installed using the Quick Install Wizard.

7

I noticed that the Invalid Hash for User disappears when I use Chrome as my browser instead of Safari.