nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
27.58k stars 4.08k forks source link

Security Dependency Update Bootstrap to 3.4.1 in Nextcloud 24.0.4 #33481

Closed stondino00 closed 1 year ago

stondino00 commented 2 years ago

⚠️ This issue respects the following points: ⚠️

Bug description

Nessus scan showing old bootstrap version. Actually looks like 3.x is end of life as well. Should be updated to 5.x asap it appears.

https://endoflife.date/bootstrap

image

Steps to reproduce

Scan with nessus OR go to this url on your nextcloud instance and search for Bootstrap.

https:///dist/core-common.js

Expected behavior

Showing newer version when searching for bootstrap.

Installation method

Official SNAP package

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.0

Web server

Apache (supported)

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

No response

Are you using the Nextcloud Server Encryption module?

No response

What user-backends are you using?

Configuration report

No response

List of activated Apps

Enabled:
  - activity: 2.16.0
  - admin_audit: 1.14.0
  - circles: 24.0.0
  - cloud_federation_api: 1.7.0
  - comments: 1.14.0
  - contactsinteraction: 1.5.0
  - dashboard: 7.4.0
  - dav: 1.22.0
  - documentserver_community: 0.1.12
  - external: 4.0.0
  - federatedfilesharing: 1.14.0
  - files: 1.19.0
  - files_accesscontrol: 1.14.0
  - files_antivirus: 3.3.1
  - files_pdfviewer: 2.5.0
  - files_rightclick: 1.3.0
  - files_sharing: 1.16.2
  - files_trashbin: 1.14.0
  - files_versions: 1.17.0
  - files_videoplayer: 1.13.0
  - forms: 2.5.1
  - groupfolders: 12.0.1
  - guests: 2.2.0
  - impersonate: 1.11.0
  - keeweb: 0.6.9
  - logreader: 2.9.0
  - lookup_server_connector: 1.12.0
  - nextcloud_announcements: 1.13.0
  - notes: 4.4.0
  - notifications: 2.12.0
  - oauth2: 1.12.0
  - onlyoffice: 7.5.4
  - password_policy: 1.14.0
  - passwords: 2022.6.20
  - privacy: 1.8.0
  - provisioning_api: 1.14.0
  - ransomware_protection: 1.13.0
  - recommendations: 1.3.0
  - serverinfo: 1.14.0
  - settings: 1.6.0
  - sharebymail: 1.14.0
  - socialsharing_email: 2.5.0
  - spreed: 14.0.3
  - systemtags: 1.14.0
  - tasks: 0.14.4
  - text: 3.5.1
  - twofactor_backupcodes: 1.13.0
  - twofactor_email: 2.5.0
  - twofactor_nextcloud_notification: 3.4.0
  - twofactor_totp: 6.4.0
  - twofactor_webauthn: 0.3.1
  - user_ldap: 1.14.1
  - user_status: 1.4.0
  - viewer: 1.8.0
  - weather_status: 1.4.0
  - workflowengine: 2.6.0
Disabled:
  - accessibility: 1.8.0
  - encryption
  - federation: 1.11.0
  - files_external: 1.7.0
  - firstrunwizard: 2.10.0
  - photos: 1.1.0
  - support: 1.4.0
  - survey_client: 1.9.0
  - theming: 1.13.0

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response

stondino00 commented 2 years ago

How do I get someone to review this?

szaimen commented 1 year ago

Hi, please update to 24.0.9 or better 25.0.3 and report back if it fixes the issue. Thank you!

My goal is to add a label like e.g. 25-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort!

If you don't manage to reproduce the issue in time and the issue gets closed but you can reproduce the issue afterwards, feel free to create a new bug report with up-to-date information by following this link: https://github.com/nextcloud/server/issues/new?assignees=&labels=bug%2C0.+Needs+triage&template=BUG_REPORT.yml&title=%5BBug%5D%3A+

d-sko commented 1 year ago

Hi, same here with Nextcloud 25.0.4. A recent security audit of our external perimeter states that bootstrap 3.3.5 is used and refers to https://[domain]/dist/core-common.js. A quick search for "bootstrap v3.3.5" in this file returned 24 results.

nickvergessen commented 1 year ago

That's not the case anymore. It's just a bad copyright comment that was copied over.

https://github.com/nextcloud/server/pull/35485

Also backported to 25.0.4 https://github.com/nextcloud/server/pull/36273

24 might still show this false interpretation, but it's okay to ignore. Shipped bootstrap version is 4.6.2 https://github.com/nextcloud/server/blob/stable24/package.json#L51

d-sko commented 1 year ago

Thanks for the clarification, good to know that this is only a bad comment! But https://raw.githubusercontent.com/nextcloud/server/stable25/dist/core-common.js still has those comments, shouldn't they be gone there as well with those two PRs you mentioned?

stondino00 commented 1 year ago

Still seeing this copyright issue in 25.0.7

https:///dist/core-common.js

n-connect commented 1 year ago

Hi,

In v26.02 it is still an issue, the source still has it: https://raw.githubusercontent.com/nextcloud/server/stable26/dist/core-common.js. I guesss this affects the Nextcloud shipped apps by default too, below are some I've encountered from 1-7. Az point 8. is a different JS, which is actually really there : also outdated & vulnerable

By using the Nextcloud Files

  1. In dist: /dist/core-common.js

  2. Activity (v2.18.0): /apps/activity/js/activity-323.js

  3. Checksum (v1.2.1): /apps/activity/js/activity-323.js

  4. Electronic signatures (2.0.4): /apps/electronicsignatures/js/electronic-signatures-fileActions.js

  5. Group folders (v14.0.2): /apps/groupfolders/js/groupfolders-vendors-node_modules_nextcloud_vue-richtext_dist_index_js-node_modules_nextcloud_vue_dist_Com-ae25e2.js

  6. [Built-in] Viewer (v1.10.0): /apps/viewer/js/viewer-main.js6.

  7. By loading Photos /apps/photos/js/photos-main.js

  8. By loading Talk /apps/deck/js/deck-reference.js & /apps/deck/js/deck-talk.js 9.

  9. A different but also vulnerable one - jszip.js in Mind Map (0.0.28): /apps/files_mindmap/js/jszip.js

magikmw commented 1 year ago

I've considered opening a new issue for this, since above comments seem to not get any traction. The issue persists on v26.0.4, and still trips up security scanners - especially bad, since v26+ seems to have dropped bootstrap altogether as a dependency. I detest pinging, but seem to have no choice - @nickvergessen please consider reopening the issue?

nickvergessen commented 1 year ago

Then maybe it is another app you use that embeds it itself.

Please post a new detailed scanner report so we can judge it

magikmw commented 1 year ago

Alright, as I understand core-common.js is re-generated when apps are added/removed?

I've done a grep -R -o -n "Bootstrap v3.3.5" apps/ in my instance's apps folder, and it appears those still have the strings inside their *.js files.

calendar
deck
groupfolders
recommendations
richdocuments
privacy
photos
activity
firstrunwizard
viewer

Not all of those apps are active, and all are 'Featured' in the App menu.

joshtrichards commented 9 months ago

https://github.com/nextcloud-libraries/nextcloud-vue/pull/3979