Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security scan incorrectly detects X-Frame-Options #10753

Closed
tenspd137 opened this issue Aug 20, 2018 · 2 comments
Closed

Security scan incorrectly detects X-Frame-Options #10753

tenspd137 opened this issue Aug 20, 2018 · 2 comments
Labels
bug

Comments

@tenspd137
Copy link

Steps to reproduce

  1. Fresh install on gentoo
  2. Log in as admin
  3. Security scan shows: The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

Expected behaviour

The above #3 should not occur

Actual behaviour

The above #3 does occur

Server configuration

Operating system: Gentoo Linux Kernel 4.15

Web server: Nginx 1.15.2, OpenSSL 1.0.2o

Database: Postgresql 11_beta2

PHP version: 7.2.8

Nextcloud version: 13.0.5

Updated from an older Nextcloud/ownCloud or fresh install: Fresh install

Where did you install Nextcloud from: Gentoo package manager portage / webapp-config

Signing status:
Gentoo adds extra files so it's webapp-config can track it.
Results

  • core
    • EXTRA_FILE
      • .webapp-nextcloud-13.0.5

Raw output

Array
(
[core] => Array
(
[EXTRA_FILE] => Array
(
[.webapp-nextcloud-13.0.5] => Array
(
[expected] =>
[current] => 2418c537e13c2e19b9eb32e2f0d7166c73f64d5eea035993c3bff8f27f20a73d068d6042c9fc58b7a1a0d690a7ec8869a2b51959dcd391c6857e107a9f5e1910
)

            )

    )

)

Signing status 
Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

List of activated apps:

sudo -u nginx php occ app:list The process control (PCNTL) extensions are required in case you want to interrupt long running commands - see http://php.net/manual/en/book.pcntl.php Enabled: - activity: 2.6.1 - bruteforcesettings: 1.1.0 - comments: 1.3.0 - dav: 1.4.7 - federatedfilesharing: 1.3.1 - federation: 1.3.0 - files: 1.8.0 - files_sharing: 1.5.0 - files_texteditor: 2.5.1 - files_trashbin: 1.3.0 - files_versions: 1.6.0 - files_videoplayer: 1.2.0 - firstrunwizard: 2.2.1 - gallery: 18.0.0 - logreader: 2.0.0 - lookup_server_connector: 1.1.0 - nextcloud_announcements: 1.2.0 - notifications: 2.1.2 - oauth2: 1.1.1 - password_policy: 1.3.0 - provisioning_api: 1.3.0 - serverinfo: 1.3.0 - sharebymail: 1.3.0 - survey_client: 1.1.0 - systemtags: 1.3.0 - theming: 1.4.5 - twofactor_backupcodes: 1.2.3 - updatenotification: 1.3.0 - workflowengine: 1.3.0 Disabled: - admin_audit - encryption - files_external - files_pdfviewer - user_external - user_ldap App list 
If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Nextcloud configuration:

Config report 
If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder


Insert your config.php content here. 
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

{
"system": {
"instanceid": "REMOVED SENSITIVE VALUE",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"cloud.baddogfarm.org"
],
"datadirectory": "REMOVED SENSITIVE VALUE",
"overwrite.cli.url": "https://cloud.baddogfarm.org",
"dbtype": "pgsql",
"version": "13.0.5.2",
"dbname": "REMOVED SENSITIVE VALUE",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true
}
}

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption: yes/no - if you mean HTTPS, yes. Disk - no.

Client configuration

Browser: Firefox 61.0

Operating system: Gentoo Linux

Logs

Web server error log

2018/08/20 02:10:28 [notice] 27404#27404: ModSecurity for nginx (STABLE)/2.9.2 (http://www.modsecurity.org/) configured. 2018/08/20 02:10:28 [notice] 27404#27404: ModSecurity: APR compiled version="1.6.3"; loaded version="1.6.3" 2018/08/20 02:10:28 [notice] 27404#27404: ModSecurity: PCRE compiled version="8.42 "; loaded version="8.42 2018-03-20" 2018/08/20 02:10:28 [notice] 27404#27404: ModSecurity: LUA compiled version="Lua 5.1" 2018/08/20 02:10:28 [notice] 27404#27404: ModSecurity: YAJL compiled version="2.1.0" 2018/08/20 02:10:28 [notice] 27404#27404: ModSecurity: LIBXML compiled version="2.9.8" 2018/08/20 02:10:28 [notice] 27404#27404: ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On. 2018/08/20 02:10:28 [notice] 26685#26685: signal 15 (SIGTERM) received from 27411, exiting 2018/08/20 02:10:28 [notice] 26686#26686: exiting 2018/08/20 02:10:28 [notice] 26686#26686: exit 2018/08/20 02:10:28 [notice] 26685#26685: signal 17 (SIGCHLD) received from 26686 2018/08/20 02:10:28 [notice] 26685#26685: worker process 26686 exited with code 0 2018/08/20 02:10:28 [notice] 26685#26685: exit 2018/08/20 02:10:28 [notice] 27443#27443: ModSecurity for nginx (STABLE)/2.9.2 (http://www.modsecurity.org/) configured. 2018/08/20 02:10:28 [notice] 27443#27443: ModSecurity: APR compiled version="1.6.3"; loaded version="1.6.3" 2018/08/20 02:10:28 [notice] 27443#27443: ModSecurity: PCRE compiled version="8.42 "; loaded version="8.42 2018-03-20" 2018/08/20 02:10:28 [notice] 27443#27443: ModSecurity: LUA compiled version="Lua 5.1" 2018/08/20 02:10:28 [notice] 27443#27443: ModSecurity: YAJL compiled version="2.1.0" 2018/08/20 02:10:28 [notice] 27443#27443: ModSecurity: LIBXML compiled version="2.9.8" 2018/08/20 02:10:28 [notice] 27443#27443: ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On. 2018/08/20 02:10:28 [notice] 27443#27443: using the "epoll" event method 2018/08/20 02:10:28 [notice] 27443#27443: nginx/1.15.2 2018/08/20 02:10:28 [notice] 27443#27443: OS: Linux 4.15.7-gentoo-r1 2018/08/20 02:10:28 [notice] 27443#27443: getrlimit(RLIMIT_NOFILE): 1024:4096 2018/08/20 02:10:28 [notice] 27444#27444: start worker processes 2018/08/20 02:10:28 [notice] 27444#27444: start worker process 27445 2018/08/20 02:12:02 [info] 27445#27445: *5 client canceled stream 47 while sending request to upstream, client: 127.0.0.1, server: cloud.baddogfarm.org, request: "GET /avatar/dayd/32?v=0 HTTP/2.0", upstream: "fastcgi://unix:/run/php-fpm.socket:", host: "cloud.baddogfarm.org" 2018/08/20 02:22:00 [info] 27445#27445: *5 client canceled stream 119 while sending request to upstream, client: 127.0.0.1, server: cloud.baddogfarm.org, request: "GET /apps/theming/js/theming?v=0 HTTP/2.0", upstream: "fastcgi://unix:/run/php-fpm.socket:", host: "cloud.baddogfarm.org" 2018/08/20 02:22:04 [info] 27445#27445: *49 client canceled stream 73 while sending request to upstream, client: 127.0.0.1, server: cloud.baddogfarm.org, request: "GET /avatar/dayd/32?v=0 HTTP/2.0", upstream: "fastcgi://unix:/run/php-fpm.socket:", host: "cloud.baddogfarm.org" 2018/08/20 02:22:17 [info] 27445#27445: *68 client canceled stream 45 while sending request to upstream, client: 127.0.0.1, server: cloud.baddogfarm.org, request: "GET /css/core/0cac-d195-server.css?v=b76b23a7-0 HTTP/2.0", upstream: "fastcgi://unix:/run/php-fpm.socket:", host: "cloud.baddogfarm.org" 2018/08/20 02:22:17 [info] 27445#27445: *78 client canceled stream 33 while sending request to upstream, client: 127.0.0.1, server: cloud.baddogfarm.org, request: "GET /avatar/dayd/32?v=0 HTTP/2.0", upstream: "fastcgi://unix:/run/php-fpm.socket:", host: "cloud.baddogfarm.org" 2018/08/20 02:24:54 [info] 27445#27445: *89 client canceled stream 33 while sending request to upstream, client: 127.0.0.1, server: cloud.baddogfarm.org, request: "GET /avatar/dayd/32?v=0 HTTP/2.0", upstream: "fastcgi://unix:/run/php-fpm.socket:", host: "cloud.baddogfarm.org" 2018/08/20 02:25:00 [info] 27445#27445: *89 client canceled stream 49 while sending request to upstream, client: 127.0.0.1, server: cloud.baddogfarm.org, request: "GET /css/core/0cac-d195-server.css?v=b76b23a7-0 HTTP/2.0", upstream: "fastcgi://unix:/run/php-fpm.socket:", host: "cloud.baddogfarm.org" 2018/08/20 02:25:00 [info] 27445#27445: *89 client canceled stream 51 while sending request to upstream, client: 127.0.0.1, server: cloud.baddogfarm.org, request: "GET /css/core/0cac-d195-share.css?v=b76b23a7-0 HTTP/2.0", upstream: "fastcgi://unix:/run/php-fpm.socket:", host: "cloud.baddogfarm.org" 2018/08/20 02:25:00 [info] 27445#27445: *89 client canceled stream 57 while sending request to upstream, client: 127.0.0.1, server: cloud.baddogfarm.org, request: "GET /avatar/dayd/32?v=0 HTTP/2.0", upstream: "fastcgi://unix:/run/php-fpm.socket:", host: "cloud.baddogfarm.org" 2018/08/20 02:30:55 [info] 27445#27445: *89 client canceled stream 103 while sending request to upstream, client: 127.0.0.1, server: cloud.baddogfarm.org, request: "GET /avatar/dayd/32?v=0 HTTP/2.0", upstream: "fastcgi://unix:/run/php-fpm.socket:", host: "cloud.baddogfarm.org" 2018/08/20 02:31:11 [info] 27445#27445: *89 client canceled stream 151 while sending request to upstream, client: 127.0.0.1, server: cloud.baddogfarm.org, request: "GET /avatar/dayd/32?v=0 HTTP/2.0", upstream: "fastcgi://unix:/run/php-fpm.socket:", host: "cloud.baddogfarm.org" 2018/08/20 02:31:28 [info] 27445#27445: *158 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:443 2018/08/20 02:31:28 [info] 27445#27445: *159 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:443 2018/08/20 02:31:43 [info] 27445#27445: *160 client canceled stream 47 while sending request to upstream, client: 127.0.0.1, server: cloud.baddogfarm.org, request: "GET /avatar/dayd/32?v=0 HTTP/2.0", upstream: "fastcgi://unix:/run/php-fpm.socket:", host: "cloud.baddogfarm.org" Web server error log 
Insert your webserver log here

Nextcloud log (data/nextcloud.log)

{"reqId":"TFZghhejdFlE84Yod7tl","level":2,"time":"2018-08-20T07:45:28+00:00","remoteAddr":"127.0.0.1","user":"dcday137","app":"core","method":"POST","url":"/login/confirm","message":"Login failed: 'dcday137' (Remote IP: '127.0.0.1')","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0","version":"13.0.5.2"}
{"reqId":"2R5tQD12gNN3opVqJjqE","level":2,"time":"2018-08-20T07:45:34+00:00","remoteAddr":"127.0.0.1","user":"dcday137","app":"core","method":"POST","url":"/login/confirm","message":"Login failed: 'dcday137' (Remote IP: '127.0.0.1')","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0","version":"13.0.5.2"}
{"reqId":"GhFltebKZVGCNi9xW8R0","level":2,"time":"2018-08-20T07:46:05+00:00","remoteAddr":"127.0.0.1","user":"dcday137","app":"core","method":"POST","url":"/login/confirm","message":"Login failed: 'dcday137' (Remote IP: '127.0.0.1')","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0","version":"13.0.5.2"}

Nextcloud log 
</details>

#### Browser log
<details>
<summary>Browser log</summary>

Insert your browser log here, this could for example include:

a) The javascript console log
JQMIGRATE: Migrate is installed, version 1.4.0
@nextcloud-bot
Copy link
Member

GitMate.io thinks possibly related issues are #543 (X-Frame-Options set to Deny issues a security warning), #4863 (X-Frame-Option DENY - NGINX), #8028 (Security problem / sharing options), #10280 (X-Frame-Options set two times), and #5246 (X-Frame-Options headers conflicting values).

@tenspd137
Copy link
Author

That was it. Removed the setting from my config fixed the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tenspd137 @nextcloud-bot