Version diclosure

[ShellCode33]

I think hiding the version in the status.php file from anonymous users could be great. Even if I'm pretty sure there are other ways to find the version of the installed instance, it makes it easier for attackers to find public exploits based on the version.

[MariusBluem]

Only hiding the information would not make Nextcloud more secure because the version could be exploited by other files (e.g. CSS) too :)

[ShellCode33]

It will not make Nextcloud more secure but it will be harder to find the version ! It can slow down bots looking for exploitable versions of Nextcloud. This is pointless to keep it public...

[MariusBluem]

It can slow down bots looking for exploitable versions of Nextcloud.

It is just one more line in the hackers script ;)

[ShellCode33]

So tell me, what are the other ways of finding the version ?

the version could be exploited by other files (e.g. CSS) too

Are you saying that to find the version, an attacker just has to hash a file and compare it with a database to retrieve the version ? Because you can't determine a version based on that... CSS files will not necessarily change between two versions

[blizzz]

1. It's security by obscurity, which does not work. Fingerprinting is only a tiny bit of more work.

2. Also the clients require to read it.

=> it's more work to get around this, without real benefit.