ownCloud 9.0.3 : The .htaccess file is not working! ?? #25416

Tas-sos opened this Issue Jul 7, 2016 · 16 comments


None yet

4 participants

Tas-sos commented Jul 7, 2016

Steps to reproduce

A few days ago i upgraded to the latest version of owncloud ( ownCloud 9.0.3 (stable) ).

Expected behaviour

I did not expect to have any security problem, because before i upgrade everything works correctly.

Actual behaviour

After the upgrade I have the following warning in the management page :
alt text

Server configuration

Operating system: Ubuntu Server 16.04 LTS

Web server: Apache/2.4.18 ( Ubuntu )

Database: Mysql Ver 14.14 Distrib 5.7.12

PHP version: 7.0.4-7ubuntu2.1

ownCloud version: ownCloud 9.0.3 (stable)

Updated from an older ownCloud or fresh install: I upgraded from the previous version

https://myDomain/index.php/settings/integrity/failed :
No errors have been found.

List of activated apps:

cd to_owncloud_directory

...# sudo -u www-data php occ app:list

  - activity: 2.2.1
  - comments: 0.2
  - dav: 0.1.6
  - federatedfilesharing: 0.1.0
  - federation: 0.0.4
  - files: 1.4.4
  - files_external: 0.5.2
  - files_pdfviewer: 0.8.1
  - files_sharing: 0.9.1
  - files_texteditor: 2.1
  - files_trashbin: 0.8.0
  - files_versions: 1.2.0
  - files_videoplayer: 0.9.8
  - firstrunwizard: 1.1
  - gallery: 14.5.0
  - notifications: 0.2.3
  - provisioning_api: 0.4.1
  - systemtags: 0.2
  - templateeditor: 0.1
  - updatenotification: 0.1.0
  - encryption
  - external
  - files_antivirus
  - user_external
  - user_ldap

The content of config/config.php:

    "system": {
        "updatechecker": false,
        "instanceid": "occblt5pmm48",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
        "datadirectory": "\/var\/www\/owncloud\/data",
        "overwrite.cli.url": "https:\/\/myDomain.com",
        "dbtype": "mysql",
        "version": "",
        "dbname": "dbName",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "loglevel": 0,
        "maintenance": false,
        "htaccess.RewriteBase": "\/"

What could be wrong? ( whereas before everything was fine )
It is indeed my files accessible to all ?

Thank you very much.

dergilb99 commented Jul 8, 2016 edited

I had the same problem. I uploaded another .htaccess from and older installation. The error was gone then. It looks like this:

# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
Satisfy All

# section for Apache 2.2 and 2.4
IndexIgnore *

I think it would be helpful if you could post your .htaccess as well.

At all: Since I used an older .htaccess, is it still ok or has something changed?

ghost commented Jul 8, 2016


this is known and will be fixed with 9.0.4: #25331

Tas-sos commented Jul 10, 2016

I saw your answers from the first moment but excuse me, now i manage to answer.
(But i was glad for the immediate responses)

So first of all to clarify the following : I am really vulnerable or not?

@dergilb99 I tried your solution and so i added to my .htaccess file, these lines :

<ifModule mod_authz_core.c>
Require all denied

IndexIgnore *

( Because the version of my apache is : Apache/2.4.18 ( Ubuntu ) )

But with this setting, i did not have access anywhere on the site.
I was getting Forbidden 403 error :

Forbidden 403 error

So in the end i left it the file as it was. ( By the way, this is the .htaccess file i have. )

I have also done this setting, as referred by the official documentation.

@RealRancor When it will be available this update ( 9.0.4 ) ?
Until then i'm vulnerable?
If really i am, how can i check it? How can i see the files without certification?

Thank you and sorry for the delayed reply ( and my bad english )! :)

ghost commented Jul 10, 2016


you're not vulnerable. Currently the check is just failing to detect a protected datadir correctly. Until oC 9.0.4 is available you can do the following file modifications: https://github.com/owncloud/core/pull/25331/files and the message should be gone.

dergilb99 commented Jul 10, 2016 edited

Hi Tas-sos,

I have a similar .htaccess, but in the owncloud directory. I meant the one in the data directory (owncloud/data, in your case). I guess you edited the owncloud .htaccess file.

owncloud: the long .htaccess file
owncloud/data: the short one

@RealRancor: I did not make the modifications you mentioned, just uploaded the old .htaccess. Message is gone, too.

ghost commented Jul 10, 2016

Ah, then your issue is unrelated to #25331

Tas-sos commented Jul 10, 2016

Thank you.

These changes i make "by hand" ?
There will be not an update from the repositories?

Now i noticed that i have two .htaccess files. Like you :

  • /owncloud/ : the file show your in above
  • /owncloud/data/.htaccess Oops! This file contains everything you told me exactly!!

So, where is the problem? : /

ghost commented Jul 10, 2016

@Tas-sos The next update which could fix this is planned for the end of august:



Oops! This file contains everything you told me exactly!!

Guessed so. ;-) I don't know what my .htaccess contained when I had this error (should've looked). I just reuploaded it. That solved the message in my case.

Now, back to the game!

Tas-sos commented Jul 10, 2016

Nice and interesting page and i not know.
But i do not understand why not *now be updated (if we can fix it them).
Just because (let's allow me) this "bug", produces confusion.
Anyway .. I do not know very well this process and how you decide to act.
Besides the important thing is that as you say that the error is not valid.

Namely we have exactly the same .htaccess files?


I use exactly the .htaccess I posted above.

ghost commented Jul 10, 2016


I do not know very well this process and how you decide to act.

I'm not deciding anything as i'm just a user as you are ;-)

Tas-sos commented Jul 10, 2016 edited

Ok. Thank you both of them! :)

@PVince81 PVince81 added this to the 9.0.4 milestone Jul 11, 2016
@PVince81 PVince81 self-assigned this Jul 11, 2016
edzoe commented Jul 14, 2016

I have the same problem after updating my cloud to 9.0.3. I didn't change anything on .htaccess (/owncloud or /data), everything original :-) The funny thing is this is not only a warring throw out by a check-script and is not related to #25331 .

I can bypass my .htaccess and access all my files... this is the biggest problem. I run CentOS 7 and updated Owncloud using repositories.

Note: Before the upgrade, I didn't had this security breach.

I added the below lines to my vhost config, but this is not a fix.

<Directory "/var/www/html/owncloud/data">
  # just in case if .htaccess gets disabled
    Require all denied

As for the false positive, the htaccess check has been improved, PR here for 9.0.4: #25435

@PVince81 PVince81 closed this Jul 14, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment