Package: owncloud Version: 5.0.13+dfsg-1 Severity: important The default installation for owncloud makes the data directory insecure. The problem is the htaccess file in /var/lin/owncloud/data is for the "old style" authorization.
The owncloud admin screen nags you with this: "Your data directory and your files are probably accessible from the internet. The .htaccess file that ownCloud provides is not working. We strongly suggest that you configure your webserver in a way that the data directory is no longer accessible or you move the data directory outside the webserver document root." The file contents should be: Require all denied IndexIgnore * Or even better, the version aware variety of this that is found in /etc/owncloud/htaccess I raised the level of Severity because it provides remote access to files users might think are protected, depending on how your other settings are setup. - Craig -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.11-1-amd64 (SMP w/6 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages owncloud depends on: ii apache2 2.4.6-3 ii apache2-bin [httpd] 2.4.6-3 ii fonts-font-awesome 4.0.0~dfsg-1 ii libjs-chosen 0.9.11-1 ii libjs-jquery 1.7.2+dfsg-3 ii libjs-jquery-fancybox 8-2 ii libjs-jquery-jplayer 2.3.4+dfsg-1 ii libjs-jquery-minicolors 1.2.1-1 ii libjs-jquery-mousewheel 8-2 ii libjs-jquery-timepicker 1.2-1 ii libjs-pdf 0.8.37+dfsg-1 ii libphp-phpmailer 5.1-1 ii mediawiki 1:1.19.8+dfsg-2.1 ii owncloud-doc 0~20131024-1 ii owncloud-mysql 5.0.13+dfsg-1 ii php-aws-sdk 1.5.6.2-1 ii php-crypt-blowfish 1.1.0~RC2-1 ii php-getid3 1.9.7-1 ii php-google-api-php-client 0.6.2-1 ii php-irods-prods 3.3.0~beta1-1 ii php-mdb2 2.5.0b5-1 ii php-mdb2-schema 0.8.5-1 ii php-patchwork-utf8 1.1.7-1 ii php-pear 5.5.5+dfsg-1 ii php-sabre-dav 1.7.6+dfsg-2 ii php-sabre-vobject 2.0.7-1 ii php-seclib 0.3.5-2 ii php-symfony-routing 2.0.19-1 ii php-xml-parser 1.3.4-6 ii php5 5.5.5+dfsg-1 ii php5-curl 5.5.5+dfsg-1 ii php5-gd 5.5.5+dfsg-1 ii php5-json 1.3.2-2 Versions of packages owncloud recommends: ii clamav 0.97.8+dfsg-1 ii curl 7.33.0-1 ii liboauth-php 0~svn1262-1 ii php-services-json 1.0.3-1 ii php5-cli 5.5.5+dfsg-1 ii php5-intl 5.5.5+dfsg-1 ii php5-ldap 5.5.5+dfsg-1 ii postfix [mail-transport-agent] 2.10.2-1 ii smbclient 2:4.0.10+dfsg-4 ii zendframework 1.12.3-1 Versions of packages owncloud suggests: pn libapache2-mod-xsendfile <none> -- Configuration Files: /etc/owncloud/htaccess [Errno 13] Permission denied: u'/etc/owncloud/htaccess' -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
