ownCloud 9.0.3 : The .htaccess file is not working! ?? #25416

Closed
Tas-sos opened this Issue Jul 7, 2016 · 16 comments

Projects

None yet

4 participants

@Tas-sos
Tas-sos commented Jul 7, 2016

Steps to reproduce

A few days ago i upgraded to the latest version of owncloud ( ownCloud 9.0.3 (stable) ).

Expected behaviour

I did not expect to have any security problem, because before i upgrade everything works correctly.

Actual behaviour

After the upgrade I have the following warning in the management page :
alt text

Server configuration

Operating system: Ubuntu Server 16.04 LTS

Web server: Apache/2.4.18 ( Ubuntu )

Database: Mysql Ver 14.14 Distrib 5.7.12

PHP version: 7.0.4-7ubuntu2.1

ownCloud version: ownCloud 9.0.3 (stable)

Updated from an older ownCloud or fresh install: I upgraded from the previous version

https://myDomain/index.php/settings/integrity/failed :
No errors have been found.

List of activated apps:

cd to_owncloud_directory

...# sudo -u www-data php occ app:list

Enabled:
  - activity: 2.2.1
  - comments: 0.2
  - dav: 0.1.6
  - federatedfilesharing: 0.1.0
  - federation: 0.0.4
  - files: 1.4.4
  - files_external: 0.5.2
  - files_pdfviewer: 0.8.1
  - files_sharing: 0.9.1
  - files_texteditor: 2.1
  - files_trashbin: 0.8.0
  - files_versions: 1.2.0
  - files_videoplayer: 0.9.8
  - firstrunwizard: 1.1
  - gallery: 14.5.0
  - notifications: 0.2.3
  - provisioning_api: 0.4.1
  - systemtags: 0.2
  - templateeditor: 0.1
  - updatenotification: 0.1.0
Disabled:
  - encryption
  - external
  - files_antivirus
  - user_external
  - user_ldap

The content of config/config.php:

{
    "system": {
        "updatechecker": false,
        "instanceid": "occblt5pmm48",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "myDomain",
            "111.my.Ip.111"
        ],
        "datadirectory": "\/var\/www\/owncloud\/data",
        "overwrite.cli.url": "https:\/\/myDomain.com",
        "dbtype": "mysql",
        "version": "9.0.3.2",
        "dbname": "dbName",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "loglevel": 0,
        "maintenance": false,
        "htaccess.RewriteBase": "\/"
    }
}

What could be wrong? ( whereas before everything was fine )
It is indeed my files accessible to all ?

Thank you very much.

@dergilb99
dergilb99 commented Jul 8, 2016 edited

I had the same problem. I uploaded another .htaccess from and older installation. The error was gone then. It looks like this:

# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
Satisfy All
</ifModule>

# section for Apache 2.2 and 2.4
IndexIgnore *

I think it would be helpful if you could post your .htaccess as well.

At all: Since I used an older .htaccess, is it still ok or has something changed?

@ghost
ghost commented Jul 8, 2016

Hi,

this is known and will be fixed with 9.0.4: #25331

@Tas-sos
Tas-sos commented Jul 10, 2016

I saw your answers from the first moment but excuse me, now i manage to answer.
(But i was glad for the immediate responses)

So first of all to clarify the following : I am really vulnerable or not?

@dergilb99 I tried your solution and so i added to my .htaccess file, these lines :

<ifModule mod_authz_core.c>
Require all denied
</ifModule>

IndexIgnore *

( Because the version of my apache is : Apache/2.4.18 ( Ubuntu ) )

But with this setting, i did not have access anywhere on the site.
I was getting Forbidden 403 error :

Forbidden 403 error

So in the end i left it the file as it was. ( By the way, this is the .htaccess file i have. )

I have also done this setting, as referred by the official documentation.

@RealRancor When it will be available this update ( 9.0.4 ) ?
Until then i'm vulnerable?
If really i am, how can i check it? How can i see the files without certification?

Thank you and sorry for the delayed reply ( and my bad english )! :)

@ghost
ghost commented Jul 10, 2016

Hi,

you're not vulnerable. Currently the check is just failing to detect a protected datadir correctly. Until oC 9.0.4 is available you can do the following file modifications: https://github.com/owncloud/core/pull/25331/files and the message should be gone.

@dergilb99
dergilb99 commented Jul 10, 2016 edited

Hi Tas-sos,

I have a similar .htaccess, but in the owncloud directory. I meant the one in the data directory (owncloud/data, in your case). I guess you edited the owncloud .htaccess file.

owncloud: the long .htaccess file
owncloud/data: the short one

@RealRancor: I did not make the modifications you mentioned, just uploaded the old .htaccess. Message is gone, too.

@ghost
ghost commented Jul 10, 2016

Ah, then your issue is unrelated to #25331

@Tas-sos
Tas-sos commented Jul 10, 2016

Thank you.

@RealRancor
These changes i make "by hand" ?
There will be not an update from the repositories?

@dergilb99
Now i noticed that i have two .htaccess files. Like you :

  • /owncloud/ : the file show your in above
  • /owncloud/data/.htaccess Oops! This file contains everything you told me exactly!!

So, where is the problem? : /

@ghost
ghost commented Jul 10, 2016

@Tas-sos The next update which could fix this is planned for the end of august:

https://github.com/owncloud/core/wiki/Maintenance-and-Release-Schedule

@dergilb99

Oops! This file contains everything you told me exactly!!

Guessed so. ;-) I don't know what my .htaccess contained when I had this error (should've looked). I just reuploaded it. That solved the message in my case.

Now, back to the game!

@Tas-sos
Tas-sos commented Jul 10, 2016

@RealRancor
Nice and interesting page and i not know.
But i do not understand why not *now be updated (if we can fix it them).
Just because (let's allow me) this "bug", produces confusion.
Anyway .. I do not know very well this process and how you decide to act.
Besides the important thing is that as you say that the error is not valid.

@dergilb99
Namely we have exactly the same .htaccess files?

@dergilb99

I use exactly the .htaccess I posted above.

@ghost
ghost commented Jul 10, 2016

@Tas-sos

I do not know very well this process and how you decide to act.

I'm not deciding anything as i'm just a user as you are ;-)

@Tas-sos
Tas-sos commented Jul 10, 2016 edited

Ok. Thank you both of them! :)

@PVince81 PVince81 added this to the 9.0.4 milestone Jul 11, 2016
@PVince81 PVince81 self-assigned this Jul 11, 2016
@edzoe
edzoe commented Jul 14, 2016

I have the same problem after updating my cloud to 9.0.3. I didn't change anything on .htaccess (/owncloud or /data), everything original :-) The funny thing is this is not only a warring throw out by a check-script and is not related to #25331 .

I can bypass my .htaccess and access all my files... this is the biggest problem. I run CentOS 7 and updated Owncloud using repositories.

Note: Before the upgrade, I didn't had this security breach.

I added the below lines to my vhost config, but this is not a fix.

<Directory "/var/www/html/owncloud/data">
  # just in case if .htaccess gets disabled
    Require all denied
</Directory>
@PVince81
Collaborator

As for the false positive, the htaccess check has been improved, PR here for 9.0.4: #25435

@PVince81 PVince81 closed this Jul 14, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment