From 32d89e951f2cc965f6ad5a97fa2672572ba37896 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 8 Aug 2017 11:05:25 +0100 Subject: [PATCH] Fix nextcloud leak of version information This could be of obvious use to adversaries --- src/freedombone-app-nextcloud | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/freedombone-app-nextcloud b/src/freedombone-app-nextcloud index 4fa51ee1..7e580fc4 100755 --- a/src/freedombone-app-nextcloud +++ b/src/freedombone-app-nextcloud @@ -483,6 +483,15 @@ function install_nextcloud_main { echo ' # Index' >> $nextcloud_nginx_site echo ' index index.php;' >> $nextcloud_nginx_site echo '' >> $nextcloud_nginx_site + + # By default nextcloud advertises highly specific version information + # on status.php, which can obviously be used by adversaries. + # Blocking status.php prevents this information leak + echo ' location = /status.php {' >> $nextcloud_nginx_site + echo ' return 404;' >> $nextcloud_nginx_site + echo ' }' >> $nextcloud_nginx_site + echo '' >> $nextcloud_nginx_site + echo ' # PHP' >> $nextcloud_nginx_site echo ' location ~ \.php {' >> $nextcloud_nginx_site echo ' include snippets/fastcgi-php.conf;' >> $nextcloud_nginx_site @@ -539,6 +548,15 @@ function install_nextcloud_main { echo ' # Index' >> $nextcloud_nginx_site echo ' index index.php;' >> $nextcloud_nginx_site echo '' >> $nextcloud_nginx_site + + # By default nextcloud advertises highly specific version information + # on status.php, which can obviously be used by adversaries. + # Blocking status.php prevents this information leak + echo ' location = /status.php {' >> $nextcloud_nginx_site + echo ' return 404;' >> $nextcloud_nginx_site + echo ' }' >> $nextcloud_nginx_site + echo '' >> $nextcloud_nginx_site + echo ' # PHP' >> $nextcloud_nginx_site echo ' location ~ \.php {' >> $nextcloud_nginx_site echo ' include snippets/fastcgi-php.conf;' >> $nextcloud_nginx_site