status.php security: information disclosure

[barrydegraaff]

An unauthenticated user can point his browser to: /owncloud/status.php

The result: {"installed":true,"maintenance":false,"version":"8.1.3.0","versionstring":"8.1.3","edition":""}

Information disclosure enables an attacker to gain valuable information about a system. Therefore, always consider what information you are revealing and whether it can be used by a malicious user.

Maybe an internal php function would have been better...

[karlitschek]

thanks for the input. this was discussed in the past and is considered not a security problem. the version of owncloud can be detected in several ways

[ghost]

https://en.wikipedia.org/wiki/Security_through_obscurity

[barrydegraaff]

Thanks for that link, relying only on obscurity would be a bad thing. But I believe security is something that comes in layers. So just giving away version info and things as maintenance status is just not a good idea.

Yes, we should always install the latest version and all security patches, but yes sometimes Ops is busy doing something else, and the new version goes by unnoticed, or automatic upgrades may have failed. In those scenarios, sharing this info, just is not good practise.

I can copy paste links also: http://projects.webappsec.org/w/page/13246936/Information%20Leakage https://msdn.microsoft.com/en-us/library/aa738441%28v=vs.110%29.aspx https://www.acunetix.com/blog/articles/configure-web-server-disclose-identity/ http://www.ducea.com/2006/06/16/apache-tips-tricks-hide-php-version-x-powered-by/

[LukasReschke]

I can copy paste links also:
http://projects.webappsec.org/w/page/13246936/Information%20Leakage
https://msdn.microsoft.com/en-us/library/aa738441%28v=vs.110%29.aspx
https://www.acunetix.com/blog/articles/configure-web-server-disclose-identity/
http://www.ducea.com/2006/06/16/apache-tips-tricks-hide-php-version-x-powered-by/

And I can happily copy-paste links that will explain that it is still possible to fingerprint the server version otherwise for example by comparing the JS or CSS files or the behaviour of the server. Preventing version enumeration is just not part of our threat model and not feasible for web applications.

[LukasReschke]

So yes, technically we might be able to remove this field if we adjust all clients. But no, it won't be any help as everybody can still fingerprint the version otherwise. (or writes a tool to do it such as http://wpscan.org/ or it's related CMSScanner https://github.com/wpscanteam/CMSScanner)

[ghost]

Completely agree. I doesn't make any sense to hide the version of a web application, especially if its open-source. Most of the posted links are referring to services like webserver where it is not that easy to enumerate / fingerprint the version.

Still i havn't suggested any customer to hide the version of services as it makes no sense from my PoV. If you can't patch a service to fix vulnerabilities you should lock them away from the internet.

[ghost]

Ah, and the most important thing is missing:

Have a look at scanners like OpenVAS: http://plugins.openvas.org/nasl.php?oid=805237

or Nikto: https://github.com/sullo/nikto/commit/7ac045724d7e46b8aa8cd59d6a31a964bfe99fcb

They mostly don't care about the version reported by the application and just trying to exploit the vulnerability. So its just a matter of time when a vulnerability is detected, no matter if you're exposing the version or not.

[butonic]

fixed by https://github.com/owncloud/core/pull/27473

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.