New user, worried about security of the root folder

help

#1

Hello I'm new so I hope this is in the right place. I tried to create a new topic in the Help section but was not allowed to. I tried checking the 'Known Issues Pinned Thread' but it is not on the list of topic areas, or at least I can't find it. There doesn't seem to be a thread or section about the poor security of the files in the root folder. I have perhaps installed things wrongly but can't see where in the instructions the exact contents of the root folder is described. The instructions simply say to copy everything out of /usr/lib/owncoud and put it into /var/www/owncloud.

Having run the setup from the web interface and followed instructions to harden the installation by running the suggested script to change permissions, I am so worried about the poor security that I have un-installed owncloud pending a resolution of these concerns.

My web root directory includes several files that seem very insecure to me. These include:

https://{my-website}/owncloud/db_structure.xml which lists the database structure out on the browser.

https://{my-website}/owncloud/status.php which lists out on the browser information about which version of the software is being used and other info about versions of files.

There are other php files that provide information directly to anyone navigating to the web site and typing on the filenames, without them having to go through the login interface first. This feels very insecure.

Has anyone come across this before, is there a list of files that are essential so I can delete these ones, or maybe move them down out of the root directory so they can do their job but only from inside the authorised login web interface.

Many thanks.


#2

Hi,

where did you get this instructions from? /usr/lib/owncloud is no path used in any documentation of doc.owncloud.org.

Those are all free available information. It makes no sense to hide such information which can be easily gathered from various other resources.

The only important part of ownCloud you need to protect is the data directory content. For this you can find the needed hardening info here:

https://doc.owncloud.org/server/9.1/admin_manual/configuration_server/harden_server.html#place-data-directory-outside-of-the-web-root


#3

Thanks RealRancor, maybe that is where I am going wrong.

There is a gap in the instructions. I am fortunate to have Debian 8 Jessie, and the repos already have an owncloud package.

Having done an apt-get install owncloud the instructions say to run the install wizard through the browser going to http://{my-domain}/owncloud.

However this folder didn't get created by the package install, so something needs to be copied into /var/www/owncloud .

The instructions on https://doc.owncloud.org/server/9.0/admin_manual/installation/source_installation.html are form manual installation on Linux. These are the only instructions I have been able to find that talks about copying files into /var/www. It says that having installed (from the .tar.bz tarball) I need to do a cp -r owncloud /var/www

This gets the files into the web server so I can navigate in the browser to the admin login (Installation wizard) and finish setting up.

I did a find / -name owncloud -print and there were two possible directories to copy from. One only had one .php file in (configure.php I think and maybe has the database password in it). The other was /usr/share/owncloud which has an index.php in it.

When I copied these files using cp -r into the /var/www/owncloud directory the web interface worked and I was able to set up the owncloud and get it working nicely.

On other apps I am just used to hiding sensitive files like status.php and db_structure.xml behind the user interface, I am surprised to see them in the root directory and accessible to anyone browsing without logging in first.

So you are right, my question comes from having copied all the files from /usr/share/owncloud into the root of my server. Maybe I shouldn't have done that, I just guessed that was the thing to do as it doesn't say what to do in the installation instructions.

Does anyone know please, is that what I should have done and do these extra .php and .xml files live in /var/www/owncloud? Can anyone say, are these files supposed to be in the root directory of every owncloud installation?

To put it another way, is there a definitive list of what files should be copied into the root directory of the owncloud service, and where these file should get copied from?

Thank you for all your interest and help.


#4

Hi,

this is just the wrong installation path where your files are ending up. None of the official packages provided by owncloud.org is installing all files there. So the base of this discussion is even wrong.

As already written above these are no sensitive informations. The ownCloud sync client even won't work without the status.php.

Everything whats e.g. in the archive of https://download.owncloud.org/community/owncloud-9.1.1.tar.bz2 needs to be in the root directory.


#5

To clarify the situation: the db_structure.xml only shows the general structure of a owncloud database of that version. That is not secret at all. It doesn't allow you to access the actual database.

version.php shows the version number, however the major version could be identified by inspecting the logon-screen as well. Not sure if it's worth filing an issue to ask to return only the major version of OC (it might break existing monitoring solutions). It is only security by obscurity.


#6

@anon30676603: The point that the ownCloud client does not work without statups.php is in my view neither a sign of good practice, nor one of security. On the contrary, it makes you have the file there. And especially given all kinds of mass attacks, I consider it bad practice to serve information that is not essential for a system to work on a silver platter to anybody who cares to open a standard URL. Please note that this is not about security by obfuscation. Security by obfuscation means reliance on people not knowing the mechanism of the software for it to be secure (roughly: the algorithm is the key -- which is bad). Here, we are talking about not making an attack easier (when an attacker has more information, it is easier and quicker for him to find the weak spots).

As to the discussion having the wrong base, I do not get your point - you write that not all files should not go to the directory /var/www/owncloud (an owncloud directory under wwwroot in Debian), then in the last sentence you write that all contents of the owncloud distribution should be in the root directory (of what actually, I assume the ownCloud installation). In my understanding, what BlueDay has described to have done is exactly what you suggest in the last. If you think to use /var/www/ (as wwwroot) instead of /var/www/owncloud, that makes no difference at all for the discussion as it only implies where the ownCloud installation lies. Have I misunderstood you? (Probably)


#7

I think you have never heard of https://wpscan.org/ and similar tools?

Edit

And before some one is screaming "Nextcloud" just quoting:

Version disclosure

At the moment we consider version disclosure an accepted risk as an attacker can enumerate service versions using other means as well. (e.g. comparing behaviour)

-> https://nextcloud.com/security/threat-model/

There are also currently discussing this: https://help.nextcloud.com/t/status-php-looks-not-good-for-me/6238

To sum-up:

There is no way to hide information from an attacker if running an web application like ownCloud. And:

is exactly "Security by obfuscation" by hiding information and hope an attacker is not able to gather this information.


#8

I'm not sure if this discussion is leading somewhere. It would probably be better to make a feature request, perhaps even provide a pull request. If there is a serious security issue, you can even use hackerone.com/owncloud.