New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ownCloud 9.0.3 : The .htaccess file is not working! ?? #25416

Closed
Tas-sos opened this Issue Jul 7, 2016 · 16 comments

Comments

Projects
None yet
4 participants
@Tas-sos

Tas-sos commented Jul 7, 2016

Steps to reproduce

A few days ago i upgraded to the latest version of owncloud ( ownCloud 9.0.3 (stable) ).

Expected behaviour

I did not expect to have any security problem, because before i upgrade everything works correctly.

Actual behaviour

After the upgrade I have the following warning in the management page :
alt text

Server configuration

Operating system: Ubuntu Server 16.04 LTS

Web server: Apache/2.4.18 ( Ubuntu )

Database: Mysql Ver 14.14 Distrib 5.7.12

PHP version: 7.0.4-7ubuntu2.1

ownCloud version: ownCloud 9.0.3 (stable)

Updated from an older ownCloud or fresh install: I upgraded from the previous version

https://myDomain/index.php/settings/integrity/failed :
No errors have been found.

List of activated apps:

cd to_owncloud_directory

...# sudo -u www-data php occ app:list

Enabled:
  - activity: 2.2.1
  - comments: 0.2
  - dav: 0.1.6
  - federatedfilesharing: 0.1.0
  - federation: 0.0.4
  - files: 1.4.4
  - files_external: 0.5.2
  - files_pdfviewer: 0.8.1
  - files_sharing: 0.9.1
  - files_texteditor: 2.1
  - files_trashbin: 0.8.0
  - files_versions: 1.2.0
  - files_videoplayer: 0.9.8
  - firstrunwizard: 1.1
  - gallery: 14.5.0
  - notifications: 0.2.3
  - provisioning_api: 0.4.1
  - systemtags: 0.2
  - templateeditor: 0.1
  - updatenotification: 0.1.0
Disabled:
  - encryption
  - external
  - files_antivirus
  - user_external
  - user_ldap

The content of config/config.php:

{
    "system": {
        "updatechecker": false,
        "instanceid": "occblt5pmm48",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "myDomain",
            "111.my.Ip.111"
        ],
        "datadirectory": "\/var\/www\/owncloud\/data",
        "overwrite.cli.url": "https:\/\/myDomain.com",
        "dbtype": "mysql",
        "version": "9.0.3.2",
        "dbname": "dbName",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "loglevel": 0,
        "maintenance": false,
        "htaccess.RewriteBase": "\/"
    }
}

What could be wrong? ( whereas before everything was fine )
It is indeed my files accessible to all ?

Thank you very much.

@dergilb99

This comment has been minimized.

Show comment
Hide comment
@dergilb99

dergilb99 Jul 8, 2016

I had the same problem. I uploaded another .htaccess from and older installation. The error was gone then. It looks like this:

# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
Satisfy All
</ifModule>

# section for Apache 2.2 and 2.4
IndexIgnore *

I think it would be helpful if you could post your .htaccess as well.

At all: Since I used an older .htaccess, is it still ok or has something changed?

dergilb99 commented Jul 8, 2016

I had the same problem. I uploaded another .htaccess from and older installation. The error was gone then. It looks like this:

# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
Satisfy All
</ifModule>

# section for Apache 2.2 and 2.4
IndexIgnore *

I think it would be helpful if you could post your .htaccess as well.

At all: Since I used an older .htaccess, is it still ok or has something changed?

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Jul 8, 2016

Hi,

this is known and will be fixed with 9.0.4: #25331

ghost commented Jul 8, 2016

Hi,

this is known and will be fixed with 9.0.4: #25331

@Tas-sos

This comment has been minimized.

Show comment
Hide comment
@Tas-sos

Tas-sos Jul 10, 2016

I saw your answers from the first moment but excuse me, now i manage to answer.
(But i was glad for the immediate responses)

So first of all to clarify the following : I am really vulnerable or not?

@dergilb99 I tried your solution and so i added to my .htaccess file, these lines :

<ifModule mod_authz_core.c>
Require all denied
</ifModule>

IndexIgnore *

( Because the version of my apache is : Apache/2.4.18 ( Ubuntu ) )

But with this setting, i did not have access anywhere on the site.
I was getting Forbidden 403 error :

Forbidden 403 error

So in the end i left it the file as it was. ( By the way, this is the .htaccess file i have. )

I have also done this setting, as referred by the official documentation.

@RealRancor When it will be available this update ( 9.0.4 ) ?
Until then i'm vulnerable?
If really i am, how can i check it? How can i see the files without certification?

Thank you and sorry for the delayed reply ( and my bad english )! :)

Tas-sos commented Jul 10, 2016

I saw your answers from the first moment but excuse me, now i manage to answer.
(But i was glad for the immediate responses)

So first of all to clarify the following : I am really vulnerable or not?

@dergilb99 I tried your solution and so i added to my .htaccess file, these lines :

<ifModule mod_authz_core.c>
Require all denied
</ifModule>

IndexIgnore *

( Because the version of my apache is : Apache/2.4.18 ( Ubuntu ) )

But with this setting, i did not have access anywhere on the site.
I was getting Forbidden 403 error :

Forbidden 403 error

So in the end i left it the file as it was. ( By the way, this is the .htaccess file i have. )

I have also done this setting, as referred by the official documentation.

@RealRancor When it will be available this update ( 9.0.4 ) ?
Until then i'm vulnerable?
If really i am, how can i check it? How can i see the files without certification?

Thank you and sorry for the delayed reply ( and my bad english )! :)

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Jul 10, 2016

Hi,

you're not vulnerable. Currently the check is just failing to detect a protected datadir correctly. Until oC 9.0.4 is available you can do the following file modifications: https://github.com/owncloud/core/pull/25331/files and the message should be gone.

ghost commented Jul 10, 2016

Hi,

you're not vulnerable. Currently the check is just failing to detect a protected datadir correctly. Until oC 9.0.4 is available you can do the following file modifications: https://github.com/owncloud/core/pull/25331/files and the message should be gone.

@dergilb99

This comment has been minimized.

Show comment
Hide comment
@dergilb99

dergilb99 Jul 10, 2016

Hi Tas-sos,

I have a similar .htaccess, but in the owncloud directory. I meant the one in the data directory (owncloud/data, in your case). I guess you edited the owncloud .htaccess file.

owncloud: the long .htaccess file
owncloud/data: the short one

@RealRancor: I did not make the modifications you mentioned, just uploaded the old .htaccess. Message is gone, too.

dergilb99 commented Jul 10, 2016

Hi Tas-sos,

I have a similar .htaccess, but in the owncloud directory. I meant the one in the data directory (owncloud/data, in your case). I guess you edited the owncloud .htaccess file.

owncloud: the long .htaccess file
owncloud/data: the short one

@RealRancor: I did not make the modifications you mentioned, just uploaded the old .htaccess. Message is gone, too.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Jul 10, 2016

Ah, then your issue is unrelated to #25331

ghost commented Jul 10, 2016

Ah, then your issue is unrelated to #25331

@Tas-sos

This comment has been minimized.

Show comment
Hide comment
@Tas-sos

Tas-sos Jul 10, 2016

Thank you.

@RealRancor
These changes i make "by hand" ?
There will be not an update from the repositories?

@dergilb99
Now i noticed that i have two .htaccess files. Like you :

  • /owncloud/ : the file show your in above
  • /owncloud/data/.htaccess Oops! This file contains everything you told me exactly!!

So, where is the problem? : /

Tas-sos commented Jul 10, 2016

Thank you.

@RealRancor
These changes i make "by hand" ?
There will be not an update from the repositories?

@dergilb99
Now i noticed that i have two .htaccess files. Like you :

  • /owncloud/ : the file show your in above
  • /owncloud/data/.htaccess Oops! This file contains everything you told me exactly!!

So, where is the problem? : /

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Jul 10, 2016

@Tas-sos The next update which could fix this is planned for the end of august:

https://github.com/owncloud/core/wiki/Maintenance-and-Release-Schedule

ghost commented Jul 10, 2016

@Tas-sos The next update which could fix this is planned for the end of august:

https://github.com/owncloud/core/wiki/Maintenance-and-Release-Schedule

@dergilb99

This comment has been minimized.

Show comment
Hide comment
@dergilb99

dergilb99 Jul 10, 2016

Oops! This file contains everything you told me exactly!!

Guessed so. ;-) I don't know what my .htaccess contained when I had this error (should've looked). I just reuploaded it. That solved the message in my case.

Now, back to the game!

dergilb99 commented Jul 10, 2016

Oops! This file contains everything you told me exactly!!

Guessed so. ;-) I don't know what my .htaccess contained when I had this error (should've looked). I just reuploaded it. That solved the message in my case.

Now, back to the game!

@Tas-sos

This comment has been minimized.

Show comment
Hide comment
@Tas-sos

Tas-sos Jul 10, 2016

@RealRancor
Nice and interesting page and i not know.
But i do not understand why not *now be updated (if we can fix it them).
Just because (let's allow me) this "bug", produces confusion.
Anyway .. I do not know very well this process and how you decide to act.
Besides the important thing is that as you say that the error is not valid.

@dergilb99
Namely we have exactly the same .htaccess files?

Tas-sos commented Jul 10, 2016

@RealRancor
Nice and interesting page and i not know.
But i do not understand why not *now be updated (if we can fix it them).
Just because (let's allow me) this "bug", produces confusion.
Anyway .. I do not know very well this process and how you decide to act.
Besides the important thing is that as you say that the error is not valid.

@dergilb99
Namely we have exactly the same .htaccess files?

@dergilb99

This comment has been minimized.

Show comment
Hide comment
@dergilb99

dergilb99 Jul 10, 2016

I use exactly the .htaccess I posted above.

dergilb99 commented Jul 10, 2016

I use exactly the .htaccess I posted above.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Jul 10, 2016

@Tas-sos

I do not know very well this process and how you decide to act.

I'm not deciding anything as i'm just a user as you are ;-)

ghost commented Jul 10, 2016

@Tas-sos

I do not know very well this process and how you decide to act.

I'm not deciding anything as i'm just a user as you are ;-)

@Tas-sos

This comment has been minimized.

Show comment
Hide comment
@Tas-sos

Tas-sos Jul 10, 2016

Ok. Thank you both of them! :)

Tas-sos commented Jul 10, 2016

Ok. Thank you both of them! :)

@PVince81 PVince81 added this to the 9.0.4 milestone Jul 11, 2016

@PVince81 PVince81 self-assigned this Jul 11, 2016

@edzoe

This comment has been minimized.

Show comment
Hide comment
@edzoe

edzoe Jul 14, 2016

I have the same problem after updating my cloud to 9.0.3. I didn't change anything on .htaccess (/owncloud or /data), everything original :-) The funny thing is this is not only a warring throw out by a check-script and is not related to #25331 .

I can bypass my .htaccess and access all my files... this is the biggest problem. I run CentOS 7 and updated Owncloud using repositories.

Note: Before the upgrade, I didn't had this security breach.

I added the below lines to my vhost config, but this is not a fix.

<Directory "/var/www/html/owncloud/data">
  # just in case if .htaccess gets disabled
    Require all denied
</Directory>

edzoe commented Jul 14, 2016

I have the same problem after updating my cloud to 9.0.3. I didn't change anything on .htaccess (/owncloud or /data), everything original :-) The funny thing is this is not only a warring throw out by a check-script and is not related to #25331 .

I can bypass my .htaccess and access all my files... this is the biggest problem. I run CentOS 7 and updated Owncloud using repositories.

Note: Before the upgrade, I didn't had this security breach.

I added the below lines to my vhost config, but this is not a fix.

<Directory "/var/www/html/owncloud/data">
  # just in case if .htaccess gets disabled
    Require all denied
</Directory>
@PVince81

This comment has been minimized.

Show comment
Hide comment
Member

PVince81 commented Jul 14, 2016

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81

PVince81 Jul 14, 2016

Member

As for the false positive, the htaccess check has been improved, PR here for 9.0.4: #25435

Member

PVince81 commented Jul 14, 2016

As for the false positive, the htaccess check has been improved, PR here for 9.0.4: #25435

@PVince81 PVince81 closed this Jul 14, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment