I use owncloud server 10.13.4 (recently upgraded) and our security team revealed a vulnarability - some files from the root owncloud folder are accessible in browser without authentication, for example: https:/oc.server.name/README.md,
Apache confs are set according to the installation guide.
Is such behaviour by design and is it possible to secure the owncloud folders content from anonimous access?
Steps to reproduce
- Access direct url with browser, no login: https:/oc.server.name/README.md
“Access denied” message
File content is shown
ownCloud version: (see ownCloud admin page)
Updated from an older ownCloud or fresh install:
updated from 10.9.1.2
from what i know it is generally the responsibility of the web server to block access to such files and not in the responsibility of the web application (besides what is already blocked via a
.htaccess file shipped by ownCloud for the own sensitive files and folders).
I think the
README.md is not sensitive as this is also freely available at https://github.com/owncloud/core/blob/master/README.md
/log/ folder and the containing
requests.log file is not part of ownCloud (the log files of ownCloud are placed in
/data/*.log) and i think you would either need to remove it from your server or blocked access to it in your web server configuration.
Thanks for your comments.
You are right (but imho, only partially).
It looks quite strange to me that application internals are exposed to everyone despite it has an authentication mechanism enabled.
If I try to block access to OC internal structure files using web server means (.htaccess or server directives), the application functionality breaks, so it doesn’t help much, though access to log/ is successfully blocked.
README of course is not sensitive but security scan thinks the application is potentially vulnerable as it allows unauthenticated access to some of its content.
from what i know every web application written in PHP (like ownCloud) can only “protect” files “natively” (means without support on web server level) via authentication if these are
Other sensitive files like the content of the
/data directory seems to be protected by ownCloud via a created file
Other none-sensitive files like a
README.md seems to be not blocked, i think it could be possible that the ownCloud team doesn’t seen this as “application internals” (as the info is freely publicly anyway) and the security scan has created a false positive in this case.
/log/ file case i think this is a non-ownCloud folder and as such ownCloud doesn’t have any knowledge and can’t block access to it at all.
I have tested on my own installation (without own
.htaccess files changes) and also at https://demo.owncloud.org/README.md and i’m getting redirected to the login page in both cases but not sure why.
As far as I know, except for specific file extensions (mostly assets), you should get redirected to the login page, as Tom said.
You could try to setup as docker installation, check the behavior, and then compare how things are setup there.