Our data directory is /var/www/html/owncloud/data
Our log file lives within the data directory.
During a vulnerability assessment it was determined you could open the log file by doing the following:
https://IPADDRESSOFWEBSERVER/data/owncloud.log
With access to the log files someone can take the ldap identifier and use it to craft a url that gains access to the user’s files like this:
https://IPADDRESSOFWEBSERVER/data/RG76339F-8RD2-229G-DRRG-933758229PRP/files/
A malicious user could access all files using the logs to attain the ldap identifier.
I’m trying to follow directions to change the directory of the log file but ownCloud is still writing the file to the data directory.
I’ve added the following to my log file located /var/www/html/owncloud/config/config.php:
I even moved the log file to that location but still ownCloud writes the log to the data directory.
Can someone please help me close this security hole?