Vulnerable log file in data directory cannot move

Our data directory is /var/www/html/owncloud/data
Our log file lives within the data directory.
During a vulnerability assessment it was determined you could open the log file by doing the following:
https://IPADDRESSOFWEBSERVER/data/owncloud.log
With access to the log files someone can take the ldap identifier and use it to craft a url that gains access to the user’s files like this:
https://IPADDRESSOFWEBSERVER/data/RG76339F-8RD2-229G-DRRG-933758229PRP/files/
A malicious user could access all files using the logs to attain the ldap identifier.
I’m trying to follow directions to change the directory of the log file but ownCloud is still writing the file to the data directory.
I’ve added the following to my log file located /var/www/html/owncloud/config/config.php:

I even moved the log file to that location but still ownCloud writes the log to the data directory.
Can someone please help me close this security hole?

Generally speaking you should not have your data folder in the public root.

Back up your file and data first.

You should move the entire data folder outside the public root to something like /var/owncloud/data . Then update your config file to reflect this new location.

Then run an SQL query to change all instances of the OLD location prefix to the new location.

This will protect all of your data files and the log file from external direct link access.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.