It opens /cron.php without login. Is security problem?

[istandthon7]

Steps to reproduce

1. common setup nextcloud by nginx, php7
2. i found something from nginx log. /cron.php 200
3. i can browse https://mydomain/cron.php, not login.

Expected behaviour

Redirect to error page

Actual behaviour

Page is loaded.
is security issue?

Server configuration

Operating system:
Raspbian GNU/Linux 9 (stretch)

Web server:
nginx/1.10.3

Database:
mysql Ver 15.1 Distrib 10.1.23-MariaDB, for debian-linux-gnueabihf (armv7l) using readline 5.2

PHP version:
PHP 7.0.30-0+deb9u1 (cli) (built: Jun 14 2018 13:50:25) ( NTS )

Nextcloud version: (see Nextcloud admin page)
Nextcloud 13.0.5

Updated from an older Nextcloud/ownCloud or fresh install:
fresh install

Where did you install Nextcloud from:
cli
Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

List of activated apps:

App list

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Nextcloud configuration:

Config report

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or 

Insert your config.php content here. 
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption: yes/no
yes
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

LDAP configuration (delete this part if not used)

LDAP config

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser:
chrome 68.0.3440.106 64bit
Operating system:
windows 10

Logs

Web server error log

Web server error log

Insert your webserver log here

Nextcloud log (data/nextcloud.log)

Nextcloud log

Insert your Nextcloud log here

Browser log

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

[nextcloud-bot]

GitMate.io thinks possibly related issues are #9333 (Security Issue while login), #8028 (Security problem / sharing options), #6018 (nextcloud Content-Security-Policy problem), #1358 (config.php - Disable Remember Login), and #9386 (I can not login!).

[MorrisJobke]

i can browse https://mydomain/cron.php, not login.

No - this is wanted behavior. It does only trigger the background job and doesn't return anything at all. So all fine.

Thanks for the heads up.