ownCloud 9.0.3 : The .htaccess file is not working! ??

[Tas-sos]

Steps to reproduce

A few days ago i upgraded to the latest version of owncloud ( ownCloud 9.0.3 (stable) ).

Expected behaviour

I did not expect to have any security problem, because before i upgrade everything works correctly.

Actual behaviour

After the upgrade I have the following warning in the management page :

Server configuration

Operating system: Ubuntu Server 16.04 LTS

Web server: Apache/2.4.18 ( Ubuntu )

Database: Mysql Ver 14.14 Distrib 5.7.12

PHP version: 7.0.4-7ubuntu2.1

ownCloud version: ownCloud 9.0.3 (stable)

Updated from an older ownCloud or fresh install: I upgraded from the previous version

https://myDomain/index.php/settings/integrity/failed :
No errors have been found.

List of activated apps:

cd to_owncloud_directory

...# sudo -u www-data php occ app:list

Enabled:
  - activity: 2.2.1
  - comments: 0.2
  - dav: 0.1.6
  - federatedfilesharing: 0.1.0
  - federation: 0.0.4
  - files: 1.4.4
  - files_external: 0.5.2
  - files_pdfviewer: 0.8.1
  - files_sharing: 0.9.1
  - files_texteditor: 2.1
  - files_trashbin: 0.8.0
  - files_versions: 1.2.0
  - files_videoplayer: 0.9.8
  - firstrunwizard: 1.1
  - gallery: 14.5.0
  - notifications: 0.2.3
  - provisioning_api: 0.4.1
  - systemtags: 0.2
  - templateeditor: 0.1
  - updatenotification: 0.1.0
Disabled:
  - encryption
  - external
  - files_antivirus
  - user_external
  - user_ldap

The content of config/config.php:

{
    "system": {
        "updatechecker": false,
        "instanceid": "occblt5pmm48",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "myDomain",
            "111.my.Ip.111"
        ],
        "datadirectory": "\/var\/www\/owncloud\/data",
        "overwrite.cli.url": "https:\/\/myDomain.com",
        "dbtype": "mysql",
        "version": "9.0.3.2",
        "dbname": "dbName",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "loglevel": 0,
        "maintenance": false,
        "htaccess.RewriteBase": "\/"
    }
}

What could be wrong? ( whereas before everything was fine )
It is indeed my files accessible to all ?

Thank you very much.

[dergilb99]

I had the same problem. I uploaded another .htaccess from and older installation. The error was gone then. It looks like this:

# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
Satisfy All
</ifModule>

# section for Apache 2.2 and 2.4
IndexIgnore *

I think it would be helpful if you could post your .htaccess as well.

At all: Since I used an older .htaccess, is it still ok or has something changed?

[ghost]

Hi,

this is known and will be fixed with 9.0.4: #25331

[Tas-sos]

I saw your answers from the first moment but excuse me, now i manage to answer.
(But i was glad for the immediate responses)

So first of all to clarify the following : I am really vulnerable or not?

@dergilb99 I tried your solution and so i added to my .htaccess file, these lines :

<ifModule mod_authz_core.c>
Require all denied
</ifModule>

IndexIgnore *

( Because the version of my apache is : Apache/2.4.18 ( Ubuntu ) )

But with this setting, i did not have access anywhere on the site.
I was getting Forbidden 403 error :

So in the end i left it the file as it was. ( By the way, this is the .htaccess file i have. )

I have also done this setting, as referred by the official documentation.

@RealRancor When it will be available this update ( 9.0.4 ) ?
Until then i'm vulnerable?
If really i am, how can i check it? How can i see the files without certification?

Thank you and sorry for the delayed reply ( and my bad english )! :)

[ghost]

Hi,

you're not vulnerable. Currently the check is just failing to detect a protected datadir correctly. Until oC 9.0.4 is available you can do the following file modifications: https://github.com/owncloud/core/pull/25331/files and the message should be gone.

[dergilb99]

Hi Tas-sos,

I have a similar .htaccess, but in the owncloud directory. I meant the one in the data directory (owncloud/data, in your case). I guess you edited the owncloud .htaccess file.

owncloud: the long .htaccess file
owncloud/data: the short one

@RealRancor: I did not make the modifications you mentioned, just uploaded the old .htaccess. Message is gone, too.

[ghost]

Ah, then your issue is unrelated to #25331

[Tas-sos]

Thank you.

@RealRancor
These changes i make "by hand" ?
There will be not an update from the repositories?

@dergilb99
Now i noticed that i have two .htaccess files. Like you :

• /owncloud/ : the file show your in above
• /owncloud/data/.htaccess Oops! This file contains everything you told me exactly!!

So, where is the problem? : /

[ghost]

@Tas-sos The next update which could fix this is planned for the end of august:

https://github.com/owncloud/core/wiki/Maintenance-and-Release-Schedule

[dergilb99]

Oops! This file contains everything you told me exactly!!

Guessed so. ;-) I don't know what my .htaccess contained when I had this error (should've looked). I just reuploaded it. That solved the message in my case.

Now, back to the game!

[Tas-sos]

@RealRancor
Nice and interesting page and i not know.
But i do not understand why not *now be updated (if we can fix it them).
Just because (let's allow me) this "bug", produces confusion.
Anyway .. I do not know very well this process and how you decide to act.
Besides the important thing is that as you say that the error is not valid.

@dergilb99
Namely we have exactly the same .htaccess files?

[dergilb99]

I use exactly the .htaccess I posted above.

[ghost]

@Tas-sos

I do not know very well this process and how you decide to act.

I'm not deciding anything as i'm just a user as you are ;-)

[Tas-sos]

Ok. Thank you both of them! :)

[edzoe]

I have the same problem after updating my cloud to 9.0.3. I didn't change anything on .htaccess (/owncloud or /data), everything original :-) The funny thing is this is not only a warring throw out by a check-script and is not related to #25331 .

I can bypass my .htaccess and access all my files... this is the biggest problem. I run CentOS 7 and updated Owncloud using repositories.

Note: Before the upgrade, I didn't had this security breach.

I added the below lines to my vhost config, but this is not a fix.

<Directory "/var/www/html/owncloud/data">
  # just in case if .htaccess gets disabled
    Require all denied
</Directory>

[PVince81]

Your vhost config should match what is in the docs: https://doc.owncloud.org/server/9.0/admin_manual/installation/source_installation.html#apache-web-server-configuration

[PVince81]

As for the false positive, the htaccess check has been improved, PR here for 9.0.4: #25435

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.