search

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://nginxproxymanager.com
MIT License
22.93k stars 2.66k forks source link

Managament login page leaks implementation version number before login #1025

Open qriff opened 3 years ago

qriff commented 3 years ago

Describe the bug Managament login page leaks implementation version number before login, declaring available vulnerabilities.

To Reproduce Steps to reproduce the behavior:

  1. Browse to management login page
  2. Observe visible version umber (v2.8.1)
  3. Open html sources and confirm referenced version number

Expected behavior No specific details should be produced before succesful login.

<link href="/css/main.css?v=2.8.1" rel="stylesheet">
<div class="page" id="login" data-version="2.8.1">
<span class="loader"></span></div><script src="/js/login.bundle.js?v=2.8.1">

In \frontend\html\partials\header.ejs

<link href="/css/main.css?v=<%= version %>" rel="stylesheet">
github-actions[bot] commented 8 months ago

Issue is now considered stale. If you want to keep it open, please comment :+1:

qriff commented 8 months ago

Still issue:

<link href="/css/main.css?v=2.10.4" rel="stylesheet">
<div class="page" id="login" data-version="2.11.1">
<script src="/js/login.bundle.js?v=2.11.1">