Sensitive server data exposed for non logged in users.

[maxsdw]

When accessing to "/api/info", some data like server OS, kernel version, cpu and ram, as well as other sensitive data is exposed, this could represent a security issue. All sensitive information should be remove from this response.

[mrj0b]

i can confirm this on https://demo.rocket.chat/api/info

[matthias-brun]

Perhaps make the information visible somewhere on the administration pages and disable "/api/info" for production systems?

[engelgabriel]

we use the /api/info on the Mobile and Desktop clients.. to validate the version of Rocket.Chat before they attempt to login.

[matthias-brun]

I see, then is there a reason for information such as kernel version or available ram also being publicly exposed? Could just remove that information from it.

[engelgabriel]

it was mainly to help us give better support, but you are right, we will remove that.

[Sing-Li]

we might want to public-key encrypt a sysinfo-blob for support ?

[geekgonecrazy]

Maybe we just make this route only available to admin? Because I do think some points the info could be good for troubleshooting.

I also like the idea of pub-key encrypt

[MartinSchoeler]

Today you only get the chat version from api/info. If there is still something relevant in this issue, please reopen this with updated details. Thanks!

[localguru]

Question: would it be a problem to block "/api/info" on nginx proxy side, e.g.:

	location ~ ^/apt/info {
		deny all;
	}

Or has it still to be public for mobile and desktop clients?

[geekgonecrazy]

@localguru I believe the new Android app uses this. The iOS app possibly uses this as well.