I can access all files without login - why?

own7 · December 27, 2017, 4:27pm

While clearing and grubbing our logfiles I found a link that made me curious. I entered this link into a Browser and found all files of a specific user, without any login.
Tested twice and a hundred times more, deleted caches, always the same: I can access all the users files without login.

I have no idea why this happens, I can see no enabled option for this behaviour.

The link looks like:
http://my.server/index.php/s/4KdMb5r8KfGFXXX?path=%2F

Enabled Sharing options:
- Allow apps to use the Share API
- Allow users to share via link
All other options are disabled.

If I switch off "Allow users to share via link" this behaviour disappears.

It looks the same like https://central.owncloud.org/t/i-can-use-a-direct-url-to-access-my-file-without-login/8027

I have double checked access rights on the server.

Expected behaviour

OC should ask for login credentials or password if not logged in

Actual behaviour

I can see all files and folders of a specific user without login

Server configuration

Operating system: Ubuntu 16.04.3
Web server: Apache/2.4.18
Database: mysql Ver 14.14 Distrib 5.7.20
PHP version: PHP 7.0.22
ownCloud version: 10.0.4.4
Updated from an older ownCloud or fresh install: Updated
Where did you install ownCloud from: Website
Signing status (ownCloud 9.0 and above): No errors have been found.
The content of config/config.php:
"config": {
"instanceid": "oc3delxmme1a",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"192.168.XX.X",
"my.server",
"ubuntu"
],
"datadirectory": "\/var\/www\/owncloud\/data",
"dbtype": "mysql",
"version": "10.0.4.4",
"dbname": "owncloud",
"dbhost": "localhost",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"theme": "",
"maintenance": false,
"loglevel": 3,
"ldapIgnoreNamingRules": false,
"trashbin_retention_obligation": "auto"
}

List of activated apps:
Enabled:
- comments: 0.3.0
- configreport: 0.1.1
- dav: 0.3.2
- federatedfilesharing: 0.3.1
- federation: 0.1.0
- files: 1.5.1
- files_external: 0.7.1
- files_sharing: 0.10.1
- files_trashbin: 0.9.1
- files_versions: 1.3.0
- files_videoplayer: 0.9.8
- firstrunwizard: 1.1
- market: 0.2.3
- notifications: 0.3.2
- provisioning_api: 0.5.0
- systemtags: 0.3.0
- templateeditor: 0.1
- updatenotification: 0.2.1

Are you using external storage, if yes which one: No
Are you using encryption: No
Are you using an external user-backend, if yes which one: WebDAV

Client configuration

Browser: Firefox 57.0.1 & Safari 11.0.2
Operating system: macOS 10.12.6

koval · December 27, 2017, 4:40pm

It seems that you have a problem with Apache server config.
I would recommend you to check .htaccess is working or not.
Here is some article how to check https://docs.bolt.cm/3.4/howto/making-sure-htaccess-works

tom42 · December 27, 2017, 5:14pm

This link looks to me like a user has created a public link / share without a password for his root folder and then this is the expected behavior. This could be confirmed by your post about disabling "Allow users to share via link".

Maybe the documentation here is helping you to understand the functionality those public shares: https://doc.owncloud.org/server/latest/user_manual/files/public_link_shares.html

own7 · December 27, 2017, 5:42pm

Checked .htaccess and mod_rewrite, both are working like expected.

tom42 · December 27, 2017, 6:04pm

I don't think that .htaccess and mod_rewrite will help here as this is just a functionality of ownCloud and an expected behavior as explained above.

own7 · December 27, 2017, 6:05pm

Right, I have found a dozen of shares in table oc_share for this specific user where share_with is null, means there is no password for this share.

Thanks for your help finding this and best Regards!