Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OC env headers problem #29125

Closed
LIMEWONDERS opened this issue Sep 29, 2017 · 6 comments
Closed

OC env headers problem #29125

LIMEWONDERS opened this issue Sep 29, 2017 · 6 comments
Labels
status/STALE

Comments

@LIMEWONDERS
Copy link

Steps to reproduce

  1. Login to Owncloud with admin user
  2. Go to settings, general
  3. Error messages is displayed:
    The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.
    The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.

Expected behaviour

Tell us what should happen - this messages shouldn't be displayed as all required steps to prevent this/enable this are done.

Actual behaviour

Tell us what happens instead - error messages is shown instead

Server configuration

Operating system: ubuntu 16.04.

Web server: apache

Database: mysql

PHP version: php 7.0

ownCloud version: (see ownCloud admin page) - 10.0.3.

Updated from an older ownCloud or fresh install: fresh install

Where did you install ownCloud from: - from packages, apt-get install

Signing status (ownCloud 9.0 and above):

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.

No errors have been found.

The content of config/config.php:

Log in to the web-UI with an administrator account and click on
'admin' -> 'Generate Config Report' -> 'Download ownCloud config report'
This report includes the config.php settings, the list of activated apps
and other details in a well sanitized form.

or 

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

{
    "system": {
        "updatechecker": false,
        "instanceid": "oc234jg3q0n9",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "192.168.0.100"
        ],
        "datadirectory": "\/var\/www\/owncloud\/data",
        "overwrite.cli.url": "https:\/\/192.168.0.100",
        "dbtype": "mysql",
        "version": "10.0.3.3",
        "dbname": "ownc_db",
        "dbhost": "127.0.0.1",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "filelocking.enabled": "true",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "127.0.0.1",
            "port": 6379,
            "timeout": 0
        }
    }
}


*ATTENTION:* Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove *all* host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.

Enabled:

  • comments: 0.3.0
  • configreport: 0.1.1
  • dav: 0.3.0
  • federatedfilesharing: 0.3.1
  • federation: 0.1.0
  • files: 1.5.1
  • files_external: 0.7.1
  • files_sharing: 0.10.1
  • files_trashbin: 0.9.1
  • files_versions: 1.3.0
  • files_videoplayer: 0.9.8
  • firstrunwizard: 1.1
  • market: 0.2.2
  • notifications: 0.3.1
  • provisioning_api: 0.5.0
  • systemtags: 0.3.0
  • templateeditor: 0.1
  • updatenotification: 0.2.1
    Disabled:
  • encryption
  • external
  • files_antivirus
  • theme-example
  • user_external

Are you using external storage, if yes which one: local/smb/sftp/... - no

Are you using encryption: - no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/... - no

Client configuration

Browser: - latest firefox browser

Operating system: windows 10

Logs

Web server error log

Insert your webserver log here - no errors reported in apache logs

No errors related to headers are shown in logs.

ownCloud log (data/owncloud.log)

Insert your ownCloud log here

No errors related to headers are shown in logs.

Browser log

Insert your browser log here, this could for example include:

Header response clearly states this is enabled:

Cache-Control | no-cache, must-revalidate
-- | --
Connection | Keep-Alive
Content-Encoding | gzip
Content-Length | 4910
Content-Security-Policy | default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
Content-Type | text/html; charset=UTF-8
Date | Fri, 29 Sep 2017 12:09:56 GMT
Expires | Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive | timeout=5, max=100
Pragma | no-cache
Server | Apache
Strict-Transport-Security | max-age=63072000; includeSubdomains
Vary | Accept-Encoding
X-Content-Type-Options | nosniff, nosniff
X-Download-Options | noopen
X-Frame-Options | DENY, SAMEORIGIN
X-Permitted-Cross-Domain-... | none
X-Robots-Tag | none
X-XSS-Protection | 1; mode=block


I've also try to put some random strings inside of .htaccess file and then I get 500 - internal server error - which means rewrite and .htaccess is loading.

Also - apachectl -M
Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 expires_module (shared)
 filter_module (shared)
 headers_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 php7_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)

As you can see, env/rewrite module is also loaded, which is required.  AllowOverride is also set in apache.conf
<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
</Directory>

and it's also set in vhost file of domain.

Any ideas what is wrong? Thank you.
@ghost
Copy link

ghost commented Sep 30, 2017

Your output is currently showing the issue. The server is sending invalid headers:

X-Content-Type-Options | nosniff, nosniff
--> Doubled "nosniff"

X-Frame-Options | DENY, SAMEORIGIN
--> Only DENY or SAMEORIGIN is allowed, not both

@ghost ghost closed this as completed Sep 30, 2017
@mSys-mislav
Copy link

Any ideas where could this be loaded from? I have the same problem and I didn't find anything under ssl.conf in apache mods dir, all header entries are disabled there, vhost is clean, it doesn't even have HSTS header - only entries in .htaccess are active.

@ghost
Copy link

ghost commented Oct 1, 2017
edited by ghost
Loading

@mislav-eu ownCloud is sending/defining some sane headers by default so this won't show up on a standard setup (there are thousands of 10.0.x installations out there)

https://github.com/owncloud/core/blob/v10.0.3/.htaccess#L16-L25
-> If your webserver is allowing to use a .htaccess and the needed modules are loaded

https://github.com/owncloud/core/blob/v10.0.3/lib/private/legacy/response.php#L259-L267
-> If your webserver is NOT allowing to use a .htaccess and/or the needed modules are NOT loaded

Everything else (like the duplicated nosniff or the DENY, SAMEORIGIN) is probably something where your webserver config is messing around with the headers.

If your on Apache you will find some options how to get support for such issues here:

https://httpd.apache.org/support.html

Similar exists for nginx:

https://nginx.org/en/support.html

@ghost
Copy link

ghost commented Oct 1, 2017

FWIW another issue could be duplicated headers sent by your webserver (e.g. two times a sent X-Frame-Options SAMEORIGIN). This is invalid as well and will also show up such warnings (see #24790)

@mSys-mislav
Copy link

I'll check if there are any double entries there, everything else is basically default installation followed by cmd lines from admin docs. Thank you.

@ownclouders ownclouders mentioned this issue Nov 19, 2018
Open
@lock
Copy link

lock bot commented Aug 1, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Aug 1, 2019
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
status/STALE
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mSys-mislav @LIMEWONDERS @ownclouders