Running OpenVAS on my network, the NextCloud AIO solution was found to have a medium security issue with a cookie use.
Port 8081 (nextcloud/all-in-one:latest) and 11001 (nextcloud-aio-apache)
Summary
The remote HTTP web server / application is missing to set the
'Secure' cookie attribute for one or more sent HTTP cookie.
Detection Result
The cookies:
Set-Cookie: PHPSESSID=***replaced***; path=/
are missing the "Secure" cookie attribute.
Insight
The flaw exists if a cookie is not using the 'Secure' cookie
attribute and is sent over a SSL/TLS connection.
This allows a cookie to be passed to the server by the client over non-secure channels (HTTP) and
subsequently allows an attacker to e.g. conduct session hijacking attacks.
Detection Method
Checks all cookies sent by the remote HTTP web server /
application over a SSL/TLS connection for a missing 'Secure' cookie attribute.
Summary
The remote HTTP web server / application is missing to set the
'Secure' cookie attribute for one or more sent HTTP cookie.
Detection Result
The cookies:
Set-Cookie: PHPSESSID=replaced; path=/
are missing the "Secure" cookie attribute.
Insight
The flaw exists if a cookie is not using the 'Secure' cookie
attribute and is sent over a SSL/TLS connection.
The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
Detection Result
The cookies:
Set-Cookie: PHPSESSID=***replaced***; path=/
are missing the "HttpOnly" attribute.
Insight
The flaw exists if a session cookie is not using the 'HttpOnly'
cookie attribute.
This allows a cookie to be accessed by JavaScript which could lead to session hijacking
attacks.
Detection Method
Checks all cookies sent by the remote HTTP web server /
application for a missing 'HttpOnly' cookie attribute.
Any web application with session handling in cookies.
Solution
Solution Type:
Mitigation
Set the 'HttpOnly' attribute for any session cookie.
Summary
The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
Detection Result
The cookies:
Set-Cookie: PHPSESSID=***replaced***; path=/
are missing the "HttpOnly" attribute.
Insight
The flaw exists if a session cookie is not using the 'HttpOnly'
cookie attribute.
This allows a cookie to be accessed by JavaScript which could lead to session hijacking
attacks.
Detection Method
Checks all cookies sent by the remote HTTP web server /
application for a missing 'HttpOnly' cookie attribute.
Details:
[Missing 'HttpOnly' Cookie Attribute (HTTP) OID: 1.3.6.1.4.1.25623.1.0.105925](http://192.168.2.17:9392/nvt/1.3.6.1.4.1.25623.1.0.105925)
Version used:
2023-01-11T10:12:37Z
Affected Software/OS
Any web application with session handling in cookies.
Solution
Solution Type:
Mitigation
Set the 'HttpOnly' attribute for any session cookie.
The remote web server supports the TRACE and/or TRACK
methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.
Detection Result
The web server has the following HTTP methods enabled: TRACE
Insight
It has been shown that web servers supporting this methods
are subject to cross-site-scripting attacks, dubbed XST for Cross-Site-Tracing, when used in
conjunction with various weaknesses in browsers.
Detection Method
Checks if HTTP methods such as TRACE and TRACK are
enabled and can be used.
Web servers with enabled TRACE and/or TRACK methods.
Impact
An attacker may use this flaw to trick your legitimate web
users to give him their credentials.
Solution
Solution Type:
Mitigation
Disable the TRACE and TRACK methods in your web server
configuration.
Please see the manual of your web server or the references for more information.
Summary
The remote web server supports the TRACE and/or TRACK
methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.
Detection Result
The web server has the following HTTP methods enabled: TRACE
Insight
It has been shown that web servers supporting this methods
are subject to cross-site-scripting attacks, dubbed XST for Cross-Site-Tracing, when used in
conjunction with various weaknesses in browsers.
Detection Method
Checks if HTTP methods such as TRACE and TRACK are
enabled and can be used.
Details:
[HTTP Debugging Methods (TRACE/TRACK) Enabled OID: 1.3.6.1.4.1.25623.1.0.11213](http://192.168.2.17:9392/nvt/1.3.6.1.4.1.25623.1.0.11213)
Version used:
2022-05-12T09:32:01Z
Affected Software/OS
Web servers with enabled TRACE and/or TRACK methods.
Impact
An attacker may use this flaw to trick your legitimate web
users to give him their credentials.
Solution
Solution Type:
Mitigation
Disable the TRACE and TRACK methods in your web server
configuration.
Please see the manual of your web server or the references for more information.
Running OpenVAS on my network, the NextCloud AIO solution was found to have a medium security issue with a cookie use.
Port 8081 (nextcloud/all-in-one:latest) and 11001 (nextcloud-aio-apache)
Summary
Detection Result
Insight
Detection Method
Expected behavior
No finding reported by OpenVAS.
Actual behavior
Finding reported by OpenVAS.
Host OS
Nextcloud AIO version
Current channel
Other valuable info
Summary The remote HTTP web server / application is missing to set the 'Secure' cookie attribute for one or more sent HTTP cookie. Detection Result The cookies:
Set-Cookie: PHPSESSID=replaced; path=/
are missing the "Secure" cookie attribute. Insight The flaw exists if a cookie is not using the 'Secure' cookie attribute and is sent over a SSL/TLS connection.
This allows a cookie to be passed to the server by the client over non-secure channels (HTTP) and subsequently allows an attacker to e.g. conduct session hijacking attacks. Detection Method Checks all cookies sent by the remote HTTP web server / application over a SSL/TLS connection for a missing 'Secure' cookie attribute. Details: Missing 'Secure' Cookie Attribute (HTTP) OID: 1.3.6.1.4.1.25623.1.0.902661 Version used: 2023-01-17T10:10:58Z Affected Software/OS Any web application accessible via a SSL/TLS connection (HTTPS) and at the same time also accessible over a cleartext connection (HTTP). Solution Solution Type: Mitigation Set the 'Secure' cookie attribute for any cookies that are sent over a SSL/TLS connection. References Other https://www.rfc-editor.org/rfc/rfc6265#section-5.2.5 https://owasp.org/www-community/controls/SecureCookieAttribute https://wiki.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)
Secondary finding:
Summary
Detection Result
Insight
Detection Method
Affected Software/OS
Solution
Another finding:
Summary
Detection Result
Insight
Detection Method
Affected Software/OS
Impact
Solution
Hi, the problem arises because you scanned port 11001 without TLS. You need to scan the Reverse Proxy connection. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md