search

nextcloud / all-in-one

📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance.
https://hub.docker.com/r/nextcloud/all-in-one
GNU Affero General Public License v3.0
5.35k stars 617 forks source link

OpenVAS 3x medium security issue found #3596

Closed juched78 closed 11 months ago

juched78 commented 11 months ago

Running OpenVAS on my network, the NextCloud AIO solution was found to have a medium security issue with a cookie use.

Port 8081 (nextcloud/all-in-one:latest) and 11001 (nextcloud-aio-apache)

Summary

The remote HTTP web server / application is missing to set the 'Secure' cookie attribute for one or more sent HTTP cookie.

Detection Result

The cookies:

Set-Cookie: PHPSESSID=***replaced***; path=/

are missing the "Secure" cookie attribute.

Insight

The flaw exists if a cookie is not using the 'Secure' cookie attribute and is sent over a SSL/TLS connection. This allows a cookie to be passed to the server by the client over non-secure channels (HTTP) and subsequently allows an attacker to e.g. conduct session hijacking attacks.

Detection Method

Checks all cookies sent by the remote HTTP web server / application over a SSL/TLS connection for a missing 'Secure' cookie attribute.
Details: | Missing 'Secure' Cookie Attribute (HTTP) OID: 1.3.6.1.4.1.25623.1.0.902661 -- | -- Version used: | 2023-01-17T10:10:58Z

Expected behavior

No finding reported by OpenVAS.

Actual behavior

Finding reported by OpenVAS.

Host OS

Nextcloud AIO version

Current channel

Other valuable info

Summary The remote HTTP web server / application is missing to set the 'Secure' cookie attribute for one or more sent HTTP cookie. Detection Result The cookies:

Set-Cookie: PHPSESSID=replaced; path=/

are missing the "Secure" cookie attribute. Insight The flaw exists if a cookie is not using the 'Secure' cookie attribute and is sent over a SSL/TLS connection.

This allows a cookie to be passed to the server by the client over non-secure channels (HTTP) and subsequently allows an attacker to e.g. conduct session hijacking attacks. Detection Method Checks all cookies sent by the remote HTTP web server / application over a SSL/TLS connection for a missing 'Secure' cookie attribute. Details: Missing 'Secure' Cookie Attribute (HTTP) OID: 1.3.6.1.4.1.25623.1.0.902661 Version used: 2023-01-17T10:10:58Z Affected Software/OS Any web application accessible via a SSL/TLS connection (HTTPS) and at the same time also accessible over a cleartext connection (HTTP). Solution Solution Type: Mitigation Set the 'Secure' cookie attribute for any cookies that are sent over a SSL/TLS connection. References Other https://www.rfc-editor.org/rfc/rfc6265#section-5.2.5 https://owasp.org/www-community/controls/SecureCookieAttribute https://wiki.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)

juched78 commented 11 months ago

Secondary finding:


Summary

The remote HTTP web server / application is missing to set the 'HttpOnly' cookie attribute for one or more sent HTTP cookie.

Detection Result

The cookies:

Set-Cookie: PHPSESSID=***replaced***; path=/

are missing the "HttpOnly" attribute.

Insight

The flaw exists if a session cookie is not using the 'HttpOnly' cookie attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks.

Detection Method

Checks all cookies sent by the remote HTTP web server / application for a missing 'HttpOnly' cookie attribute.
Details: | Missing 'HttpOnly' Cookie Attribute (HTTP) OID: 1.3.6.1.4.1.25623.1.0.105925 -- | -- Version used: | 2023-01-11T10:12:37Z

Affected Software/OS

Any web application with session handling in cookies.

Solution

Solution Type:
Mitigation
Set the 'HttpOnly' attribute for any session cookie.
Summary The remote HTTP web server / application is missing to set the 'HttpOnly' cookie attribute for one or more sent HTTP cookie. Detection Result The cookies: Set-Cookie: PHPSESSID=***replaced***; path=/ are missing the "HttpOnly" attribute. Insight The flaw exists if a session cookie is not using the 'HttpOnly' cookie attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks. Detection Method Checks all cookies sent by the remote HTTP web server / application for a missing 'HttpOnly' cookie attribute. Details: [Missing 'HttpOnly' Cookie Attribute (HTTP) OID: 1.3.6.1.4.1.25623.1.0.105925](http://192.168.2.17:9392/nvt/1.3.6.1.4.1.25623.1.0.105925) Version used: 2023-01-11T10:12:37Z Affected Software/OS Any web application with session handling in cookies. Solution Solution Type: Mitigation Set the 'HttpOnly' attribute for any session cookie.
juched78 commented 11 months ago

Another finding:

Summary

The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.

Detection Result

The web server has the following HTTP methods enabled: TRACE

Insight

It has been shown that web servers supporting this methods are subject to cross-site-scripting attacks, dubbed XST for Cross-Site-Tracing, when used in conjunction with various weaknesses in browsers.

Detection Method

Checks if HTTP methods such as TRACE and TRACK are enabled and can be used.
Details: | HTTP Debugging Methods (TRACE/TRACK) Enabled OID: 1.3.6.1.4.1.25623.1.0.11213 -- | -- Version used: | 2022-05-12T09:32:01Z

Affected Software/OS

Web servers with enabled TRACE and/or TRACK methods.

Impact

An attacker may use this flaw to trick your legitimate web users to give him their credentials.

Solution

Solution Type:
Mitigation
Disable the TRACE and TRACK methods in your web server configuration. Please see the manual of your web server or the references for more information.
Summary The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. Detection Result The web server has the following HTTP methods enabled: TRACE Insight It has been shown that web servers supporting this methods are subject to cross-site-scripting attacks, dubbed XST for Cross-Site-Tracing, when used in conjunction with various weaknesses in browsers. Detection Method Checks if HTTP methods such as TRACE and TRACK are enabled and can be used. Details: [HTTP Debugging Methods (TRACE/TRACK) Enabled OID: 1.3.6.1.4.1.25623.1.0.11213](http://192.168.2.17:9392/nvt/1.3.6.1.4.1.25623.1.0.11213) Version used: 2022-05-12T09:32:01Z Affected Software/OS Web servers with enabled TRACE and/or TRACK methods. Impact An attacker may use this flaw to trick your legitimate web users to give him their credentials. Solution Solution Type: Mitigation Disable the TRACE and TRACK methods in your web server configuration. Please see the manual of your web server or the references for more information.
szaimen commented 11 months ago

Hi, the problem arises because you scanned port 11001 without TLS. You need to scan the Reverse Proxy connection. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md