Question about security

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Question about security

Pauleman (DerPaul)
Hello all,

just for fun I tested to download a file directly from the data location
of owncloud. I was surprised that there was no protection of the data
directory and also of the backup directory. Is there any idea to prevent
the direct access?

Regards

Pauleman

Reply | Threaded
Open this post in threaded view
|

Question about security

Jakob Sack-2
Hi,

there are two options that come to my mind.
a) using a data folder location outside the webroot (possible if you have root
access to the webserver)
b) creating a .htaccess with the appropriate rights (order allow deny, deny
from all)

The second option is the one all can use, including the users of a shared
webhosting service. Maybe the creation of this file can be done by owncloud.
Regards,

Jakob


Am Mittwoch, 11. August 2010, 00:02:15 schrieb Pauleman (DerPaul):

> Hello all,
>
> just for fun I tested to download a file directly from the data location
> of owncloud. I was surprised that there was no protection of the data
> directory and also of the backup directory. Is there any idea to prevent
> the direct access?
>
> Regards
>
> Pauleman

Reply | Threaded
Open this post in threaded view
|

Question about security

Robin Appelman
On Wednesday, August 11, 2010 01:01:17 Jakob Sack wrote:

> Hi,
>
> there are two options that come to my mind.
> a) using a data folder location outside the webroot (possible if you have
> root access to the webserver)
> b) creating a .htaccess with the appropriate rights (order allow deny, deny
> from all)
>
> The second option is the one all can use, including the users of a shared
> webhosting service. Maybe the creation of this file can be done by
> owncloud. Regards,
>
> Jakob
>
> Am Mittwoch, 11. August 2010, 00:02:15 schrieb Pauleman (DerPaul):
> > Hello all,
> >
> > just for fun I tested to download a file directly from the data location
> > of owncloud. I was surprised that there was no protection of the data
> > directory and also of the backup directory. Is there any idea to prevent
> > the direct access?
> >
> > Regards
> >
> > Pauleman
The problem with .htaccess is that not all http server support it, we try to
support more then apache.

We need to find a sane sollution that works across various web servers

 - Robin Appelman

Reply | Threaded
Open this post in threaded view
|

Question about security

Frank Karlitschek
In reply to this post by Pauleman (DerPaul)

On 11.08.2010, at 00:02, Pauleman (DerPaul) wrote:

> Hello all,
>
> just for fun I tested to download a file directly from the data location
> of owncloud. I was surprised that there was no protection of the data
> directory and also of the backup directory. Is there any idea to prevent
> the direct access?
>
> Regards
>
> Pauleman




Hi,

I think this is a very good point.
Having an unprotected document directory in your webdirectory is a bad idea.

I think we need some fancy logic for this problem.
ownCloud should check if the current document directory is in the documentroot and accessibly from the internet. If no -> no problem. If yes try to automatically put a .htaccess in the directory and check with a fopen http request if access is still possible. If no -> problem solved. If yes -> big security problem and do nothing till the user fixes this security hole.


Cheers
Frank




--
Frank Karlitschek
karlitschek at kde.org