[frameworks-kio] [Bug 505118] kioworker accessing nextcloud CalDAV without credentials triggers bruteforce detection

Tue Jun 3 00:30:13 BST 2025

https://bugs.kde.org/show_bug.cgi?id=505118

TraceyC <kdedev at tlcnet.info> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned-bugs at kde.org     |kio-bugs-null at kde.org
            Product|kde                         |frameworks-kio
     Ever confirmed|0                           |1
                 CC|                            |kdedev at tlcnet.info,
                   |                            |kdelibs-bugs at kde.org
          Component|general                     |WebDAV
             Status|REPORTED                    |CONFIRMED
      Version First|unspecified                 |6.14.0
        Reported In|                            |

--- Comment #1 from TraceyC <kdedev at tlcnet.info> ---
I also have a Nextcloud instance set up with nginx and confirmed the problem
with git-master

In Plasma, I don't have the NC account set up via "Online Accounts". The
software accessing my Nextcloud instance is Thunderbird, the NC client, and
apparently the plasma-browser-integration at kde.org process

I notice that both in your logs and mine, "Mozilla" is in the lines. This isn't
Thunderbird, so on my machine this is from the Nextcloud client.

As a test, I closed Thunderbird, re-started, and initiated a sync.
I saw similar log lines with the 401 error, but with the client identifier
(X11; Linux x86_64; rv:139.0) Gecko/20100101 Thunderbird/139.0"
Sync attempts after the first do not produce a 401 error, they show 207 as
expected

After exiting the NC client and re-starting, that didn't produce any 401s
I made sure no browser tabs were open to the NC instance, the only processes
open referencing Mozilla are
- KeepassXC (which doesn't call out to NC)
- plasma-browser-integration at kde.org

So it seems that no matter which client uses kioworker to communicate with
Nextcloud, except the NC client itself, the behavior is the same.

Log lines from my server:

/var/log/nginx ❯ rg -A 1 "PROPFIND.*401" | tail -6
nextcloud_https_access.log:A.B.C.D - - [02/Jun/2025:22:32:31 +0000] "PROPFIND
/remote.php/dav/principals/users/tclark/ HTTP/1.1" 401 596 "-" "Mozilla/5.0
(X11; Linux x86_64) KIO/6.15 kioworker/6.15.0"
nextcloud_https_access.log-A.B.C.D - tclark [02/Jun/2025:22:32:31 +0000]
"PROPFIND /remote.php/dav/principals/users/tclark/ HTTP/1.1" 207 296 "-"
"Mozilla/5.0 (X11; Linux x86_64) KIO/6.15 kioworker/6.15.0"
--
nextcloud_https_access.log:A.B.C.D - - [02/Jun/2025:22:32:32 +0000] "PROPFIND
/remote.php/dav/addressbooks/users/tclark/ HTTP/1.1" 401 596 "-" "Mozilla/5.0
(X11; Linux x86_64) KIO/6.15 kioworker/6.15.0"
nextcloud_https_access.log:A.B.C.D - - [02/Jun/2025:22:32:32 +0000] "PROPFIND
/remote.php/dav/calendars/tclark/ HTTP/1.1" 401 596 "-" "Mozilla/5.0 (X11;
Linux x86_64) KIO/6.15 kioworker/6.15.0"
nextcloud_https_access.log-A.B.C.D - tclark [02/Jun/2025:22:32:33 +0000]
"PROPFIND /remote.php/dav/addressbooks/users/tclark/ HTTP/1.1" 207 451 "-"
"Mozilla/5.0 (X11; Linux x86_64) KIO/6.15 kioworker/6.15.0"

-- 
You are receiving this mail because:
You are the assignee for the bug.