[Owncloud] Documentation issue enables a Major Security Issue on Apache/Ubuntu. Fixes and checks included.

Roland van Laar roland at micite.net
Thu Feb 23 23:03:44 UTC 2012 

Hello,

I found a security issue with the default install of OwnCloud.
The default install leaves the data directory wide open.

The default apache configuration specifies the following:
<Directory />
         Options FollowSymLinks
         AllowOverride None
</Directory>
<Directory /var/www/>
         Options Indexes FollowSymLinks MultiViews
         AllowOverride None
         Order allow,deny
         allow from all
</Directory>

The second AllowOverride should be All instead of None.

On the linux server page[1] the sixth step should be:
6. To enable the use of the .htaccess files: Add
<Directory /var/www/owncloud/>
     AllowOverride All
</Directory>

It would be nice it owncloud would check if the .htaccess files can be 
loaded.
I saw the 'SetEnv htaccessWorking true' in the root .htaccess but this 
didn't display
any messages.

A fix. To be put in index.php after 'if($not_installed)'  and before 
'if($_SERVER['REQUEST_METHOD'...

// Check for a working .htaccess file.
if (strstr($_SERVER['SERVER_SOFTWARE'], 'Apache') and 
getenv('htaccessWorking') != true){
     $errors[] = array('error' => 'Security Error: .htaccess file is not 
set',
                       'hint' => 'You are using apache and the .htaccess 
isn\'t loaded. Set AllowOverride to All.');
     OC_Template::printGuestPage('', 'error', array('errors' => $errors));
     exit();
}

This checks if apache is used, and if so if the .htaccessWorking 
parameter is set.
It will display an error when it's not set.

I think privacy and security is a major sellingpoint for owncloud.
As such I would like to see a security policy page for owncloud.
Which documents a couple of security points, for example:
-information about how to enable ssl
-how to harden the owncloud installation with information about:
     secure the different databases
-the owncloud policy about security, such as:
     -the passwords are sha1 hashed with a salt.
     -the security is done by .htaccess check for access by seeing if 
your data directory is accessible.

Furthermore, I haven't seen anything about unittests to check the code.
Something like `only admins can access this page` is stuff I'd like to 
see tests for to
know it really works.

Regards,

Roland van Laar

[1] http://owncloud.org/support/setup-and-installation/linux-server/

More information about the Owncloud mailing list