Security Message

8.2.x

#1

I have OwnCloud running on CentOS with HTTPS and somehow i have access to all the files just putting the https://address/data in the URL. Also i have this error message in the security admin panel:

Security & setup warnings

Your data directory and your files are probably accessible from the Internet. The .htaccess file is not working. We strongly suggest that you configure your web server in a way that the data directory is no longer accessible or you move the data directory outside the web server document root.
No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our documentation.
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.
The "Strict-Transport-Security" HTTP header is not configured to least "15768000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.

I try everything from Google and nothing is working. Can someone help me with this as its very urgent and the service is shutdown at the moment.
The current Version of OwnCloud is 8.1.3 (stable)


#2

Same answer as in [1] also applies here:

i think it might help more if you explain what steps you did and what issues you're still facing. The only pointers currently which can be given here is the documentation, providing all needed info to solve this message (see below).

So have a look at the documentation and work your way through it. I think the people in here are happy to answer any specific questions you have when doing so.

Documentations on this messages are linked below at [2]

[1]

[2] https://doc.owncloud.org/server/latest/admin_manual/configuration_server/security_setup_warnings.html


#3

Just noticed that there is also a FAQ about the "datadirectory" available here at the forums at [1].

The suggestion that you should specify what you have done so far and what issues you're facing is still valid. The documentation how to fix this stuff is available and people can't give you additional info as they can't guess your environment, setup and issues.

[1]


#4

Thank you for replying !

The problem come from nowhere. First of all we have lost the data ( this is still unclear how, but 90% is from some User ). The OwnCloud is run under VMWare so we have a backup of it. I have restore all the files using the clone VM from the Backup of the VMWare. Then put the the files in the production one. Everything was working fine, after 2 months we get this error messages on the security, and i see that i can access the files from browser without log in. If i go to "https:///data" i can see all and access all the files. I read everything from FAQ and i have read this post. I have 2 ".htaccess" files. One placed in "/var/www/html/owncloud" and the other in ""/var/www/html/owncloud/data". I have try with putting "AllowOverride All" and lots of different stuff that i can find from Google. But nothing helping.

I really can't explain much, except if you don't ask me. The OwnCloud was working perfect for a long time, that means no Security message shown. I have scan the VM for malicious software and see the logs but nothing from Hacking perspective is happening. I don't know what to look for as the service was perfect. Somehow this message come. I don't know why. Maybe auto updates are happening from OwnCloud ? Do i have to change the "data" folder to be out of the /var/www/html/ directory ? Maybe the files were accessible from the beginning to the public, that is why there were deleted in the first place ?


#5

That version is not up to date: https://owncloud.org/changelog/#latest8.1
It's probably not related to your problem, but you should really update to the latest version of the 8.1-branch. Also consider doing an upgrade to 8.2 soon, since 8.1 reaches end of life soon (May or June this year).

That would work in any case. The AllowOverride All should normally work if put at the right place.

As an alternative, you can try to set the permissions directly in your apache configuration:

<Directory /path/to/owncloud/data>
Order Deny,Allow
Deny from All
</Directory>

#6

Hi tflidd,

This part actually helped me ! I have no longer access to the data over URL. But now i have the following issues showing up on the security panel:

No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our documentation.
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.
The "Strict-Transport-Security" HTTP header is not configured to least "15768000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.

But again, changing stuff in the .htaccess not helping. Any suggestion on this ?


#7

See the already posted information above [1]. Its really nearly impossible to answer you if you just say "any suggestions on this". If you have specific questions to this documentation or if you're struggling at some point with the documentation please ask specific questions.

The only suggestion which can be given currently is: Work your way through the provided documentation.

[1]