the Nextcloud application library structure can be detected by automated tools

We had a Black-Box penetration test. The result: the Nextcloud application library structure can be detected by automated tools:

  • “301 Moved Permanently” → existing Nextcloud folder,
  • “403 Forbidden” → existing Nextcloud folder,
  • “404 Not Found” → non-existing Nextcloud folder.

Is there any way to disable the display of path information?

Nextcloud version 27.1.9
Operating system: Debian 10.13
Apache 2.4.59
PHP 8.2.18

welcome @dezsit to the community forum of NC.

first of all: who is “we” in this case?

The reason why I ask this is: if “we” means a company you might be better off asking pro-support about that strange behaviour.

of course you could try your luck here as well. But I’m afraid this is an uncommon error… so I’m afraid you might give out more informations about your instance. Try using this support-template as an orientation

1 Like

I’m not so sure if this is actually an error…

While I am not sure what @dezsit exactly means by “existing or non-existing Nextcloud folder”, I can definitely determine whether a certain app is installed or not without being logged in using a simple GET request from a browser:

For example:

https://cloud.domain.tld/apps/calendar returns a 303, while https://cloud.domain.tld/apps/nameofanappthatisnotinstalled returns a 404

However, I am not an expert and I have no idea if this can or even should be prevented, but I would guess it is normal behavior for any Nextcloud instance since it is the same on all my instances and I am pretty sure that I have not misconfigured aynthing. :wink:

But maybe someone more knowledgeable than me can elaborate a bit on whether this behavior is actually normal and if so, why it behaves like this … :slight_smile:

This might be a good place to start: Security Policy

Hmm, according to Threat model - Nextcloud I suspect this particular thing wouldn’t probably considered a security risk at all.

So no bounty for us, i guess :wink:

As written by @jtr please reach out via our security program.

And please provide a more meaningful description or include the test result.

Thanks