Htaccess warning while configuration should be OK

MichaIng · September 11, 2017, 11:03am

Yeah, just testet the following with Satisfy Any inside nextcloud apache config:

Actually my data directory is outside of nextcloud folder on external drive, so in my case there is no security issue with this.
But some script created an (unused) data directory in my nextcloud folder and a recent occ maintenance:update:htaccess created the /nextcloud/data/.htaccess file, which is/should be perfectly in use, since AllowOverride All is in place and redirection to pretty URLs + file upload size works by /nextcloud/.htaccess perfectly well.
I created a test file /nextcloud/data/<user>/test besides the already existing /nextcloud/data/index.html.
Actually pretty URLs redirects all access tries to the test file to the nextcloud base URL (but /data/index.html IS indeed accessible!), so I disabled pretty URLs inside /nextcloud/.htaccess, which by the way can not influence access rights to /nextcloud/data/ with it’s own .htaccess file.
Afterwards is WAS able to access and read the test file inside browser!! Crazy shit!
Next I removed Satisfy Any from nextcloud apache config and access tries to test file as well as index.html got answered with “Access forbidden” as it should be.

Just to answer every doubt, /data/.htaccess looks like this:

# Generated by Nextcloud on 2017-06-02 11:21:34
# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
Satisfy All
</ifModule>

# section for Apache 2.2 and 2.4
<ifModule mod_autoindex.c>
IndexIgnore *
</ifModule>

“Require all denied” seems to be without effect if “Satisfy Any” is set. I use apache 2.4.25 btw.

From my point of view this is a huge security issue, as the admin manual more less recommends this setting, if you don’t know about parent folder authentication that might be there. The hint should be completely removed from admin manual. Even a big red warning about this, if data directory is inside nextcloud (which is default) is not enough for my point of view. If one really uses parent directory authentication, one would know it, has to move nextcloud to different location or whatever, but “Satisfy Any” really breaks every permissions attempt by nextclouds .htaccess. Even that admin manual gives warning about accessible data, if users don’t find the reason and instead find .htaccess work perfectly fine, they could ignore it. Also the warning does not clearly say that files ARE accessible, just that they MIGHT BE, which is also no good solution in my opinion.

I will directly open a github issue about this! Crazy nobody found it so far, as it is so easily reproducible .

€:

github.com/nextcloud/server

Data folder accessible if "Satisfy Any" is set

opened 11:38AM - 11 Sep 17 UTC

closed 10:26AM - 19 Dec 19 UTC

MichaIng

4. to release security

Rewards are always welcome thou, but it is not me that fell above this: https://…help.nextcloud.com/t/htaccess-warning-while-configuration-should-be-ok/20280/17?u=michaing ### Steps to reproduce 1. Set up Nextcloud on Apache2 **without** pretty URLs and data directory **inside** nextcloud root. 2. Ensure `.htaccess` files are used as expected to prevent access to data folder. 3. Add `Satisfy Any` to nextcloud vhost/config file as mentioned in admin manual as necessary in some cases: https://docs.nextcloud.com/server/12/admin_manual/installation/source_installation.html#additional-apache-configurations 4. Try to access to some file inside data folder by using it's direct URL. ### Expected behaviour Access should be forbidden. ### Actual behaviour Access works very well. - Pretty URLs lead to redirection of requests to nextcloud base URL. But e.g. access to `/data/index.html` is still possible. ### Server configuration **Operating system**: Raspbian/Debian Stretch **Web server:** Apache/2.4.25 **Database:** MariaDB 10.1 **PHP version:** 7.0.19-1 **Nextcloud version:** 12.0.2 **Updated from an older Nextcloud/ownCloud or fresh install:** updated **Where did you install Nextcloud from:** downloads.nextcloud.com **Signing status:** <details> <summary>Signing status</summary> ``` No errors have been found. ``` </details> **List of activated apps:** <details> <summary>App list</summary> ``` Enabled: - activity: 2.5.2 - apporder: 0.4.0 - calendar: 1.5.3 - contacts: 1.5.3 - dav: 1.3.0 - federatedfilesharing: 1.2.0 - files: 1.7.2 - files_sharing: 1.4.0 - files_trashbin: 1.2.0 - files_versions: 1.5.0 - gallery: 17.0.0 - impersonate: 1.0.1 - logreader: 2.0.0 - lookup_server_connector: 1.0.0 - nextcloud_announcements: 1.1 - notifications: 2.0.0 - oauth2: 1.0.5 - ownnote: 1.08 - polls: 0.7.3 - previewgenerator: 1.0.6 - provisioning_api: 1.2.0 - serverinfo: 1.2.0 - sharerenamer: 1.3 - tasks: 0.9.5 - twofactor_backupcodes: 1.1.1 - updatenotification: 1.2.0 - workflowengine: 1.2.0 Disabled: - admin_audit - comments - encryption - federation - files_external - files_pdfviewer - files_texteditor - files_videoplayer - firstrunwizard - imprint - password_policy - sharebymail - survey_client - systemtags - theming - user_external - user_ldap ``` </details> **Nextcloud configuration:** <details> <summary>Config report</summary> ``` { "system": { "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "localhost", "my.domain.org" ], "datadirectory": "\/mnt\/sda\/ncdata", #Tested with manual created data directory + test files inside nextcloud root and with occ maintenance:update:htaccess to create correct .htaccess file inside. "dbtype": "mysql", "version": "12.0.2.0", "memcache.local": "\\OC\\Memcache\\APCu", "filelocking.enabled": true, "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "\/var\/run\/redis\/redis.sock", "port": 0, "dbindex": 0, "password": "***REMOVED SENSITIVE VALUE***", "timeout": 1.5 }, "dbname": "nextcloud", "dbhost": "localhost", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "instanceid": "ocv2j0skx6hk", "loglevel": 3, "logtimezone": "Europe\/Berlin", "trashbin_retention_obligation": "disabled", "versions_retention_obligation": "disabled", "skeletondirectory": "", "defaultapp": "apporder", "maintenance": false, "overwrite.cli.url": "https:\/\/my.domain.org\/nextcloud", "htaccess.RewriteBase": "\/nextcloud", #Tested without pretty URLs, as they redirect access tries to all files besides at least index.html inside data directory. "mail_smtpmode": "smtp", "mail_smtpauthtype": "LOGIN", "mail_smtpsecure": "tls", "mail_from_address": "my.mail", "mail_domain": "gmx.de", "mail_smtpauth": 1, "mail_smtphost": "mail.gmx.net", "mail_smtpport": "587", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***" }, "apps": { "activity": { "enabled": "yes", "installed_version": "2.5.2", "notify_email_calendar": "0", "notify_email_calendar_event": "0", "notify_email_calendar_todo": "0", "notify_email_favorite": "0", "notify_email_file_changed": "0", "notify_email_file_created": "0", "notify_email_file_deleted": "0", "notify_email_file_downloaded": "0", "notify_email_file_restored": "0", "notify_email_public_links": "0", "notify_email_remote_share": "0", "notify_email_shared": "0", "notify_setting_batchtime": "604800", "notify_setting_self": "1", "notify_setting_selfemail": "0", "notify_stream_calendar": "1", "notify_stream_calendar_event": "1", "notify_stream_calendar_todo": "1", "notify_stream_favorite": "1", "notify_stream_file_changed": "1", "notify_stream_file_created": "1", "notify_stream_file_deleted": "1", "notify_stream_file_downloaded": "1", "notify_stream_file_favorite": "0", "notify_stream_file_restored": "1", "notify_stream_public_links": "1", "notify_stream_remote_share": "1", "notify_stream_shared": "1", "types": "filesystem" }, "apporder": { "enabled": "yes", "installed_version": "0.4.0", "order": "[\"\/nextcloud\/index.php\/apps\/activity\/\",\"\/nextcloud\/index.php\/apps\/files\/\",\"\/nextcloud\/index.php\/apps\/gallery\/\",\"\/nextcloud\/index.php\/apps\/contacts\/\",\"\/nextcloud\/index.php\/apps\/calendar\/\",\"\/nextcloud\/index.php\/apps\/tasks\/\",\"\/nextcloud\/index.php\/apps\/ownnote\/\",\"\/nextcloud\/index.php\/apps\/polls\/\"]", "types": "" }, "backgroundjob": { "lastjob": "20" }, "calendar": { "enabled": "yes", "installed_version": "1.5.3", "types": "" }, "comments": { "enabled": "no", "installed_version": "1.2.0", "types": "logging" }, "contacts": { "enabled": "yes", "installed_version": "1.5.3", "types": "" }, "core": { "backgroundjobs_mode": "cron", "installedat": "1496402497.1163", "lastcron": "1505128503", "lastupdateResult": "[]", "lastupdatedat": "1505127887", "moveavatarsdone": "yes", "oc.integritycheck.checker": "[]", "previewsCleanedUp": "1", "public_files": "files_sharing\/public.php", "public_webdav": "dav\/appinfo\/v1\/publicwebdav.php", "scss.variables": "d41d8cd98f00b204e9800998ecf8427e", "shareapi_allow_resharing": "no", "shareapi_enforce_links_password": "yes", "updater.secret.created": "1503506277", "vendor": "nextcloud" }, "dav": { "enabled": "yes", "installed_version": "1.3.0", "types": "filesystem" }, "federatedfilesharing": { "enabled": "yes", "installed_version": "1.2.0", "types": "" }, "federation": { "enabled": "no", "installed_version": "1.2.0", "types": "authentication" }, "files": { "cronjob_scan_files": "500", "enabled": "yes", "installed_version": "1.7.2", "types": "filesystem" }, "files_downloadactivity": { "enabled": "no", "installed_version": "1.1.1", "types": "filesystem" }, "files_pdfviewer": { "enabled": "no", "installed_version": "1.1.1", "ocsid": "166049", "types": "" }, "files_sharing": { "enabled": "yes", "installed_version": "1.4.0", "lookupServerUploadEnabled": "no", "types": "filesystem" }, "files_texteditor": { "enabled": "no", "installed_version": "2.4.1", "ocsid": "166051", "types": "" }, "files_trashbin": { "enabled": "yes", "installed_version": "1.2.0", "types": "filesystem" }, "files_versions": { "enabled": "yes", "installed_version": "1.5.0", "types": "filesystem" }, "files_videoplayer": { "enabled": "no", "installed_version": "1.1.0", "types": "" }, "firstrunwizard": { "enabled": "no", "installed_version": "2.1", "types": "logging" }, "gallery": { "enabled": "yes", "installed_version": "17.0.0", "types": "" }, "impersonate": { "enabled": "yes", "installed_version": "1.0.1", "types": "" }, "imprint": { "content": "test test", "enabled": "no", "installed_version": "0.2.5", "position-guest": "header-right", "position-login": "header-right", "position-user": "header-right", "types": "" }, "logreader": { "enabled": "yes", "installed_version": "2.0.0", "levels": "00011", "ocsid": "170871", "types": "" }, "lookup_server_connector": { "enabled": "yes", "installed_version": "1.0.0", "types": "authentication" }, "nextcloud_announcements": { "enabled": "yes", "installed_version": "1.1", "pub_date": "Sat, 10 Dec 2016 00:00:00 +0100", "types": "logging" }, "notifications": { "enabled": "yes", "installed_version": "2.0.0", "types": "logging" }, "oauth2": { "enabled": "yes", "installed_version": "1.0.5", "types": "authentication" }, "ownbackup": { "enabled": "no", "installed_version": "17.5.0", "types": "" }, "ownnote": { "enabled": "yes", "folder": "ownNotes", "installed_version": "1.08", "types": "" }, "password_policy": { "enabled": "no", "installed_version": "1.2.2", "types": "" }, "polls": { "enabled": "yes", "installed_version": "0.7.3", "types": "" }, "previewgenerator": { "enabled": "yes", "installed_version": "1.0.6", "types": "filesystem" }, "provisioning_api": { "enabled": "yes", "installed_version": "1.2.0", "types": "prevent_group_restriction" }, "rainloop": { "enabled": "no", "installed_version": "5.0.1", "rainloop-autologin": "1", "types": "" }, "serverinfo": { "enabled": "yes", "installed_version": "1.2.0", "types": "" }, "sharebymail": { "enabled": "no", "installed_version": "1.2.0", "types": "filesystem" }, "sharerenamer": { "enabled": "yes", "installed_version": "1.3", "types": "" }, "survey_client": { "enabled": "no", "installed_version": "1.0.0", "types": "" }, "systemtags": { "enabled": "no", "installed_version": "1.2.0", "types": "logging" }, "tasks": { "enabled": "yes", "installed_version": "0.9.5", "types": "" }, "theming": { "enabled": "no", "installed_version": "1.3.0", "types": "logging" }, "twofactor_backupcodes": { "enabled": "yes", "installed_version": "1.1.1", "types": "" }, "updatenotification": { "core": "12.0.2.0", "enabled": "yes", "installed_version": "1.2.0", "types": "", "update_check_errors": "0" }, "workflowengine": { "enabled": "yes", "installed_version": "1.2.0", "types": "filesystem" } } } ``` </details> **Are you using external storage, if yes which one:** no **Are you using encryption:** no **Are you using an external user-backend, if yes which one:** no ### Client configuration **Browser:** Opera 49 + Edge 40.15 were tested. **Operating system:** ### Logs #### Web server error log none #### Nextcloud log (data/nextcloud.log) none #### Browser log nene