NextCloud Security Concern
We are considering this resolved.
Today it was brought to our attention that a mistake was made on our part when setting up our NextCloud instance. We left the default Nginx server block in place, which routed to the same document root as cloud.mxroute.com. This allowed for a couple of troubling issues:
- PHP scripts could be downloaded, as the default server block was not configured to run the scripts through the interpreter. Most noteworthy would be config.php.
- Security values configured in the cloud.mxroute.com server block were not present when the data was accessed from this angle.
What we know to have been exposed:
- NextCloud password salt/secret (this isn’t actually important, keep reading)
- Email password for email@example.com
- Database password for NextCloud
What could have been exposed in theory but was not in practice:
- Data directories containing user uploaded files
- Secret/password salt are not relevant as we’re not using encryption or creating/storing user passwords in the NextCloud database. We delegate that to IMAP, so these values are irrelevant under our current configuration.
Steps to resolution:
- Routed default Nginx server block to another location not under the cloud.mxroute.com document root
- Rotated database and email passwords
- Reviewed logs to confirm no direct access of customer data
- Reviewed logs to ensure that this has only been exploited once, by the kind individual that disclosed this to us
Takeaway / Conclusion:
This could have been very damaging, and we’re very thankful that it was not. A kind security researcher notified us of this and we were able to take action very quickly. Had this been discovered by someone with malicious intent it would have been somewhat difficult for them to use it to compromise user data, but absolutely possible. This was our fault entirely, and we apologize sincerely and humbly.
We’ve been alerted to a security issue in the NextCloud installation. We’ve brought it down while reviewing, will explain afterward.