• pentesticals@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Honestly, all applications are vulnerable AF, especially the open source projects without a major team behind them. I work in a security research team and we find critical bugs like this in a weekly basis. Even in major projects which you would be scared to know about. I personally wouldn’t expose anything except SSH or a VPN, or if I have to expose a web app, it’s going inside a VLAN with very restrictive firewall rules, proper logging, and a reverse proxy enforcing authentication via an OIDC based IDP.

    We generally spend a couple of days to a week before finding something critical allowing RCE.

    • pastudan@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Also worth noting here: Exposing wireguard is quite safe because the daemon doesn’t even respond unless it recognizes your key. It just drops the UDP packet otherwise.

      Nothing is unhackable, but this is damn near close. Such a brilliant design.

  • jovialfaction@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    That’s why I keep nextcloud behind http basic auth. Don’t trust those software to expose them directly to Internet.

    • CoffeeCapy@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      To my understanding, OCIS is a complete rewrite of OwnCloud and was written in Go. So my intuition tells me it’s not but I could be wrong.

  • Arghblarg
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    As article states, you’re not vulnerable if you don’t have the ‘graphapi’ app installed, whatever that is. Checked my nextcloud instance and it’s not there.

  • DryPhilosopher8168@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I can’t stress this enough, keep your private and enterprise cloud behind a vpn. Especially if you are a part time Admin with limited resources. Sooner or later you will be hacked.

  • chevereto@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I’m surprised that ownCloud didn’t use a single PHP entrypoint. In PHP software you must restrict access to .php files, that’s front controller basis. They really did bad and I’m very disappointed.

  • the-last-user@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Thanks, OP. Now if only I could figure out how to change the SQLite database password in ownCloud 10.10 (it’s not stored in config.php, but there is a “passwordsalt” configured there).