INVALID_HASH & .htaccess and no way to recover the old configuration

mieszko · March 11, 2019, 11:56am

I get the INVALID_HASH for .htaccess and I have no way of getting the old configuration of the owncloud. The operating system needed to be recovered from backups and they were older than files in the owncloud configuration. I don’t know if the current hash for .htaccess is for the current owncloud version.
Is the version 9.1.6 available for download?
How to convince owncloud to accept the .htaccees file?

9.1.6

Steps to reproduce

php occ integrity:check-core

Expected behaviour

The integrity test should pass

Actual behaviour

The test returns:

INVALID_HASH:
- .htaccess:
  - expected: ab5f4c44ba2f9c66f2ed25c3ad3d84660b2808cca11ffa8fe2778a648a054d8ada495a0bf4715dc873aac1efe8dfd92a72f9a24441d8f5240834e639325fd892
  - current: cd513438eef6164a503c84bfcc3e933598dae3f43a2745f9bdf36615fd821d1213abd1e3ce42da7d8f948f3e39ca495679401e149f9daf2d0fe7f883527d18f4

Server configuration

Operating system:
CentOS 7.5.1804

Web server:
Apache

Database:

PHP version:
5.4.16

ownCloud version: (see ownCloud admin page)
Cannot login to ownCloud.
occ returns 9.1.6

Updated from an older ownCloud or fresh install:
?

Where did you install ownCloud from:
?

Signing status (ownCloud 9.0 and above):
?

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.

Cannot login into ownCloud: Access forbidden CSRF check failed

The content of config/config.php:

<?php $CONFIG = array ( 'instanceid' => 'ociozheizcie', 'passwordsalt' => 'CFvalWVbgvvUNsxxSN0KLeGqnSa8VY', 'secret' => 'bidpgSWanq3CCVseYTcIT1OHdfencJMEYbSX7K7iicxKnSQ2', 'trusted_domains' => array ( 0 => 'XX.XX.XX', 1 => 'XX.XX.XX.XX', ), 'datadirectory' => '/var/ownclouddata', 'overwrite.cli.url' => 'https://XXX.XXXX.XXXl/owncloud', 'dbtype' => 'mysql', 'version' => '9.1.6.2', 'dbname' => 'clouddb', 'dbhost' => 'localhost', 'dbtableprefix' => 'oc_', 'dbuser' => 'XXXXXXXX', 'dbpassword' => 'XXXXXXXX', 'logtimezone' => 'UTC', 'installed' => true, 'mail_from_address' => 'owncloud.XX', 'mail_smtpmode' => 'smtp', 'mail_domain' => 'XX.XX', 'trashbin_retention_obligation' => 30, 'trashbin_auto_expire' => true, 'defaultapp' => 'files', 'remember_login_cookie_lifetime' => 3600, 'session_lifetime' => 3600, 'forcessl' => true, 'has_internet_connection' => true, 'log_rotate_size' => 104857600, 'logfile' => '/var/log/owncloud.log', 'loglevel' => 0, 'maintenance' => false, 'ldapIgnoreNamingRules' => false, 'ldapIgnoreNamingRules' => false, 'htaccess.RewriteBase' => '/owncloud', 'theme' => '', 'mail_smtpsecure' => 'tls', 'mail_smtpauthtype' => 'PLAIN', 'mail_smtpauth' => 1, 'mail_smtphost' => 'smtp.XX.XX', 'mail_smtpname' => 'owncloud.XX', 'mail_smtppassword' => 'XXXXXXXXX', ``` Log in to the web-UI with an administrator account and click on 'admin' -> 'Generate Config Report' -> 'Download ownCloud config report' This report includes the config.php settings, the list of activated apps and other details in a well sanitized form. or If you have access to your command line run e.g.: sudo -u www-data php occ config:list system from within your ownCloud installation folder *ATTENTION:* Do not post your config.php file in public as is. Please use one of the above methods whenever possible. Both, the generated reports from the web-ui and from occ config:list "trusted_domains": [ "exchange.fotonowy.pl", "XX.XX.XX.XX" ], "datadirectory": "\/var\/ownclouddata", "overwrite.cli.url": "https:\/\/exchange.XX.XX\/owncloud", "dbtype": "mysql", "version": "9.1.6.2", "dbname": "clouddb", "dbhost": "localhost", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "logtimezone": "UTC", "installed": true, "mail_from_address": "owncloud.xx", "mail_smtpmode": "smtp", "mail_domain": "XX.XX", "trashbin_retention_obligation": 30, "trashbin_auto_expire": true, "defaultapp": "files", "remember_login_cookie_lifetime": 3600, "session_lifetime": 3600, "forcessl": true, "has_internet_connection": true, "log_rotate_size": 104857600, "logfile": "\/var\/log\/owncloud.log", "loglevel": 0, "maintenance": false, "ldapIgnoreNamingRules": false, "htaccess.RewriteBase": "\/owncloud", "theme": "", "mail_smtpsecure": "tls", "mail_smtpauthtype": "PLAIN", "mail_smtpauth": 1, "mail_smtphost": "smtp.XX.XX", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***" consistently remove sensitive data. You still may want to review the report before sending. If done manually then it is critical for your own privacy to dilligently remove *all* host names, passwords, usernames, salts and other credentials before posting. You should assume that attackers find such information and will use them against your systems. ``` **List of activated apps:** ``` If you have access to your command line run e.g.: sudo -u www-data php occ app:list from within your ownCloud installation folder. ``` Enabled: - activity: 2.3.2 - comments: 0.3.0 - configreport: 0.1.1 - dav: 0.2.7 - federatedfilesharing: 0.3.0 - federation: 0.1.0 - files: 1.5.1 - files_pdfviewer: 0.8.1 - files_sharing: 0.10.0 - files_texteditor: 2.1 - files_trashbin: 0.9.0 - files_versions: 1.3.0 - files_videoplayer: 0.9.8 - firstrunwizard: 1.1 - gallery: 15.0.0 - notifications: 0.3.0 - provisioning_api: 0.5.0 - systemtags: 0.3.0 - templateeditor: 0.1 - updatenotification: 0.2.1 Disabled: - encryption - external - files_antivirus - files_external - user_external - user_ldap **Are you using external storage, if yes which one:** local/smb/sftp/... no **Are you using encryption:** yes/no no **Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/... ? none ``` With access to your command line run e.g.: sudo -u www-data php occ ldap:show-config from within your ownCloud installation folder Without access to your command line download the data/owncloud.db to your local computer or access your SQL server remotely and run the select query: SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap'; Eventually replace sensitive data as the name/IP-address of your LDAP server or groups. ``` ### Logs #### Web server error log ``` Insert your webserver log here ``` #### ownCloud log (data/owncloud.log) ``` Insert your ownCloud log here ``` #### Browser log ``` Insert your browser log here, this could for example include: a) The javascript console log b) The network log c) ... ```

tom42 · March 28, 2019, 11:15am

Hey,

personally i would update to the most recent 10.1.0 version and then i think the invalid hash should be gone.

mieszko · March 28, 2019, 11:11pm

Hi tom42,

Cannot go to 10.1.0 due to other essential services depending on old php 5.4.
What fixed the problem was to reinstall owncloud from 9.1.6 to 9.1.8.

Thanks for the tip!