Hello,
I found a security issue with the default install of OwnCloud.
The default install leaves the data directory wide open.
The default apache configuration specifies the following:
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
The second AllowOverride should be All instead of None.
On the linux server page[1] the sixth step should be:
6. To enable the use of the .htaccess files: Add
<Directory /var/www/owncloud/>
AllowOverride All
</Directory>
It would be nice it owncloud would check if the .htaccess files can be
loaded.
I saw the 'SetEnv htaccessWorking true' in the root .htaccess but this
didn't display
any messages.
A fix. To be put in index.php after 'if($not_installed)' and before
'if($_SERVER['REQUEST_METHOD'...
// Check for a working .htaccess file.
if (strstr($_SERVER['SERVER_SOFTWARE'], 'Apache') and
getenv('htaccessWorking') != true){
$errors[] = array('error' => 'Security Error: .htaccess file is not
set',
'hint' => 'You are using apache and the .htaccess
isn\'t loaded. Set AllowOverride to All.');
OC_Template::printGuestPage('', 'error', array('errors' => $errors));
exit();
}
This checks if apache is used, and if so if the .htaccessWorking
parameter is set.
It will display an error when it's not set.
I think privacy and security is a major sellingpoint for owncloud.
As such I would like to see a security policy page for owncloud.
Which documents a couple of security points, for example:
-information about how to enable ssl
-how to harden the owncloud installation with information about:
secure the different databases
-the owncloud policy about security, such as:
-the passwords are sha1 hashed with a salt.
-the security is done by .htaccess check for access by seeing if
your data directory is accessible.
Furthermore, I haven't seen anything about unittests to check the code.
Something like `only admins can access this page` is stuff I'd like to
see tests for to
know it really works.
Regards,
Roland van Laar
[1] http://owncloud.org/support/setup-and-installation/linux-server/
_______________________________________________
Owncloud mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/owncloud
