status.php file - hide information about versions.

gadiamb · January 21, 2025, 10:44am

Hello,

Our CISO asks us to hide information about versions.

Can I modify these lines in the status.php file without causing any issues ?

‘version’ => implode(‘.’, \OCP\Util::getVersion()),
‘versionstring’ => OC_Util::getVersionString(),

Thank you,

Gadiamb

devnull · January 21, 2025, 12:21pm

Even if you hide it, you can easily find out the version. You just have to look at the source code of the HTML, CSS and especially JavaScript. You can not hide information that is transferred to client side.

Open in browser, use this url:
view-source:https://cloud.server.tld

Or user browser dev tools press in browser F12

ernolf · January 21, 2025, 9:42pm

Hello @gadiamb,

First of all, to answer your question, yes, you can of course hide the version information from status.php by changing this

		'version' => implode('.', \OCP\Util::getVersion()),
		'versionstring' => OC_Util::getVersionString(),

into this.

		'version' => '', //implode('.', \OCP\Util::getVersion()),
		'versionstring' => '', //OC_Util::getVersionString(),

Note: any change to such files means that the next integrity check on those files will fail because their hash has changed, which will lead to warnings in the admin panel.

But what is your CISO trying to achieve with this? Does he think that the version is sensitive information?

Perhaps he is not aware that some data have to be exposed so that clients can communicate with Netxcloud, and Nextcloud in turn with its clients and other (Nextcloud) servers on the Internet. This includes the URL, for example. If you don’t have it, you won’t find the server, but no one would think of keeping the URL secret for security reasons if you want to share something.

If you are interested in which data can be read out with a single request, you can send me the URL of your cloud via PM, I will do a scan with my security scanner and immediately send you back all the information which one can read without knowing any other parameters. Then show that to your CISO.

If he has security-related concerns about the status.php, he should explain them. More details about nextclouds security policies can be found → here ← , but I can say straight away that exposing the version information in the status.php is not security related, unless the server is not updated on a regular basis. And even then it is not the visible version information, but the missing update which increases the security risk.

h.t.h.

Much and good luck,
ernolf