Status.php - looks not good for me


#1

Hello is this status from my https://cloud.xxx.xx/status.php
website normal? It looks like to me it is something not good.

{“installed”:true,“maintenance”:false,“version”:“9.1.2.2”,“versionstring”:“10.0.2”,“edition”:""}

Please advise…


#2

That actually looks OK to me but I’m a bit worried that ths status.php is available publicly. It could be exploited potentially as it discloses some serious details, doesn’t it?


#3

Thats very right to me as well. It should be possible to see only for admin inside of NextCloud web interface…


#4

Well, probably not because the purpose of the status.php seems to be that external monitoring systems can easily check the status of the site. But that should probably be protected with a shared secret.


#6

The version number. For the client it is required to have the version number because some client/server-combinations don’t work together (e.g. one of them is very old). So you could limit information to authenticated users.

On the other hand, there are other ways to identify the version. The login page probably changes a bit between the versions and if there are some serious security bugs found, an attacker could just give it a try assuming that you didn’t upgrade.

@LukasReschke