id: nextcloudpi-dashboard

info:
  name: NextcloudPi Dashboard - Exposed
  author: ritikchaddha
  severity: high
  description: |
    Detects exposed NextcloudPi dashboard instances. NextcloudPi dashboard is typically accessible on port 4443 and should not be exposed to the internet as it provides administrative access to the NextcloudPi instance.
  remediation: |
    Restrict access to the NextcloudPi dashboard to trusted IP addresses only. Use a VPN or firewall rules to limit access.
  reference:
    - https://github.com/nextcloud/nextcloudpi
  metadata:
    verified: true
    max-request: 1
    vendor: nextcloud
    product: nextcloudpi
    shodan-query: title:"NextcloudPi Panel"
    fofa-query: title="NextcloudPi Panel"
  tags: nextcloud,nextcloudpi,dashboard,misconfig,exposed

http:
  - method: GET
    path:
      - "{{BaseURL}}/?app=config"

    matchers:
      - type: dsl
        dsl:
          - "contains_any(body, 'Power Off', 'Nextcloud configuration')"
          - "status_code==200"
        condition: and
# digest: 490a004630440220720c10870dd10754fcdea588a6465af1506b0370a50eff39668cab59fad2e6f302200e21e795e09d8d21753080294adc5f8c6a13d43e8396a1b85d9057067b0fca30:922c64590222798bb761d5b6d8e72950