While clearing and grubbing our logfiles I found a link that made me curious. I entered this link into a Browser and found all files of a specific user, without any login.
Tested twice and a hundred times more, deleted caches, always the same: I can access all the users files without login.
I have no idea why this happens, I can see no enabled option for this behaviour.
The link looks like:
http://my.server/index.php/s/4KdMb5r8KfGFXXX?path=%2F
Enabled Sharing options:
- Allow apps to use the Share API
- Allow users to share via link
All other options are disabled.
If I switch off “Allow users to share via link” this behaviour disappears.
It looks the same like I can use a direct url to access my file without login
I have double checked access rights on the server.
Expected behaviour
OC should ask for login credentials or password if not logged in
Actual behaviour
I can see all files and folders of a specific user without login
Server configuration
Operating system: Ubuntu 16.04.3
Web server: Apache/2.4.18
Database: mysql Ver 14.14 Distrib 5.7.20
PHP version: PHP 7.0.22
ownCloud version: 10.0.4.4
Updated from an older ownCloud or fresh install: Updated
Where did you install ownCloud from: Website
Signing status (ownCloud 9.0 and above): No errors have been found.
The content of config/config.php:
“config”: {
“instanceid”: “oc3delxmme1a”,
“passwordsalt”: “REMOVED SENSITIVE VALUE”,
“secret”: “REMOVED SENSITIVE VALUE”,
“trusted_domains”: [
“192.168.XX.X”,
“my.server”,
“ubuntu”
],
“datadirectory”: “/var/www/owncloud/data”,
“dbtype”: “mysql”,
“version”: “10.0.4.4”,
“dbname”: “owncloud”,
“dbhost”: “localhost”,
“dbtableprefix”: “oc_”,
“dbuser”: “REMOVED SENSITIVE VALUE”,
“dbpassword”: “REMOVED SENSITIVE VALUE”,
“installed”: true,
“theme”: “”,
“maintenance”: false,
“loglevel”: 3,
“ldapIgnoreNamingRules”: false,
“trashbin_retention_obligation”: “auto”
}
List of activated apps:
Enabled:
- comments: 0.3.0
- configreport: 0.1.1
- dav: 0.3.2
- federatedfilesharing: 0.3.1
- federation: 0.1.0
- files: 1.5.1
- files_external: 0.7.1
- files_sharing: 0.10.1
- files_trashbin: 0.9.1
- files_versions: 1.3.0
- files_videoplayer: 0.9.8
- firstrunwizard: 1.1
- market: 0.2.3
- notifications: 0.3.2
- provisioning_api: 0.5.0
- systemtags: 0.3.0
- templateeditor: 0.1
- updatenotification: 0.2.1
Are you using external storage, if yes which one: No
Are you using encryption: No
Are you using an external user-backend, if yes which one: WebDAV
Client configuration
Browser: Firefox 57.0.1 & Safari 11.0.2
Operating system: macOS 10.12.6