I use owncloud server 10.13.4 (recently upgraded) and our security team revealed a vulnarability - some files from the root owncloud folder are accessible in browser without authentication, for example: https:/oc.server.name/README.md,
https:/oc.server.name/log/requests.log
Apache confs are set according to the installation guide.
Is such behaviour by design and is it possible to secure the owncloud folders content from anonimous access?
Steps to reproduce
Access direct url with browser, no login: https:/oc.server.name/README.md
Expected behaviour
“Access denied” message
Actual behaviour
File content is shown
Server configuration
OracleLinux 7.6
Web server:
apache 2.4.6
Database:
mysql/mariadb v15.1
PHP version:
7.4.33
ownCloud version: (see ownCloud admin page)
10.13.4
Updated from an older ownCloud or fresh install:
updated from 10.9.1.2
from what i know it is generally the responsibility of the web server to block access to such files and not in the responsibility of the web application (besides what is already blocked via a .htaccess file shipped by ownCloud for the own sensitive files and folders).
The /log/ folder and the containing requests.log file is not part of ownCloud (the log files of ownCloud are placed in /data/*.log) and i think you would either need to remove it from your server or blocked access to it in your web server configuration.
Hi, tom42
Thanks for your comments.
You are right (but imho, only partially).
It looks quite strange to me that application internals are exposed to everyone despite it has an authentication mechanism enabled.
If I try to block access to OC internal structure files using web server means (.htaccess or server directives), the application functionality breaks, so it doesn’t help much, though access to log/ is successfully blocked.
README of course is not sensitive but security scan thinks the application is potentially vulnerable as it allows unauthenticated access to some of its content.
from what i know every web application written in PHP (like ownCloud) can only “protect” files “natively” (means without support on web server level) via authentication if these are .php files.
Other sensitive files like the content of the /data directory seems to be protected by ownCloud via a created file /data/.htaccess.
Other none-sensitive files like a README.md seems to be not blocked, i think it could be possible that the ownCloud team doesn’t seen this as “application internals” (as the info is freely publicly anyway) and the security scan has created a false positive in this case.
For the /log/ file case i think this is a non-ownCloud folder and as such ownCloud doesn’t have any knowledge and can’t block access to it at all.
Addition:
I have tested on my own installation (without own .htaccess files changes) and also at https://demo.owncloud.org/README.md and i’m getting redirected to the login page in both cases but not sure why.
As far as I know, except for specific file extensions (mostly assets), you should get redirected to the login page, as Tom said.
You could try to setup as docker installation, check the behavior, and then compare how things are setup there.