V0.48 scan.nextcloud.com

Maintenance
1

I wanted to find out version of the NextCloud on my MIAB just updated to v0.48
and found this post:

So I give it a try at the address: https://scan.nextcloud.com/
and it come back with the following:
[X] Running Nextcloud 17.0.6.2
[J] Major version still supported

as expected per the tag v0.45
https://github.com/mail-in-a-box/mailinabox/releases/tag/v0.45

With “A” rating:
A = This server has no known vulnerabilities but there are additional hardening capabilities available in newer versions making it harder for an attacker to exploit unknown vulnerabilities to break in.

But hardening showing potential problem:
[x] __Host-Prefix:
The __Host prefix mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. It is an additional hardening on top of ‘normal’ same-site cookies.

My question is are there any plans to upgrade to “LATEST” version "19.0.0.?
https://github.com/nextcloud/server/releases/latest

In the Settings page of the NextCloud there was an option for Administrator that is missing in my,
when I log in as administrator for my box. Is it deliberate, if so how can one access the Admin account on NC?

2

Not recommended I think as the nextcloud install is really only there to provide address book and calendar AFAIK

However, does this work for you to make admin rights available to a user:

sudo mailinabox/tools/owncloud-unlockadmin.sh email@example.com

3

Thank you.

I have just looked and I only have available in my NextCloud:

  • Files
  • Gallery
  • Contacts
  • Calendar
4

Well to be honest I haven’t tried this on my MIAB as it is a production service for me.

I have installed nextcloud on another VM and there one sees some extra settings available to the admin user compared to normal user.

I assume the script in MIAB is still valid as it is included in 0.48.

5

Did you restart nextcloud (and nginx) btw?

6

Eventually! But the goal of the project isn’t to provide the latest calendar and contacts experience, so I am not in any hurry.

7

No worries, are there any plans to integrate NC Talk (https://nextcloud.com/talk/) or it’s out of scope of this project?

8

It’s way out of scope.

9

Running v71a and just tried the Nextcloud

for my MIAB https://domain.tld/cloud

and got:

Rating: F

Running Nextcloud 26.0.13.1
Latest patch level
Major version NOT supported

Hardening:

__Host-Prefix

The __Host prefix mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. It is an additional hardening on top of ‘normal’ same-site cookies.

Is this something to worry about?

  • F = This server version is end of life and has no security fixes anymore. It is likely trivial to break in and steal all the data or even take over the entire server.*
  • E = This server is vulnerable to at least one vulnerability rated “high”. It is likely quite easy to break in and steal data or even take over the server.
  • D = This server is vulnerable to at least one vulnerability rated “medium”. With bit of effort, like creating a specially crafted URL and luring a user there, an attacker can likely steal data or even take over the server.
  • C = This server is vulnerable to at least one vulnerability rated “low”. This might or might not provide a way in for an attacker and will likely need some additional vulnerabilities to be exploited.
  • A = This server has no known vulnerabilities but there are additional hardening capabilities available in newer versions making it harder for an attacker to exploit unknown vulnerabilities to break in.
  • A+ = This server is up to date, well configured and has industry leading hardening features applied, making it harder for an attacker to exploit unknown vulnerabilities to break in.
10

Although I think it’s not as bad as result F suggests, due to the fact MailinaBox doesn’t use all nextcloud functionality, it’s still something that needs to be fixed.
Currently, work has been done to upgrade the installed PHP version (see Migrate from php8.0 to php8.1 by kiekerjan · Pull Request #2309 · mail-in-a-box/mailinabox · GitHub), Once that is merged, upgrades to newer Nextcloud version will be added.