Merge pull request #1605 from owncloud/LukasReschke-patch-1

Add note about installing ownCloud in a DMZ
2025-10-26 11:18:02 +00:00 · 2015-08-29 11:57:51 +02:00 · 2015-08-29 11:57:51 +02:00 · ef791b4a0f
commit ef791b4a0f
parent af44b48dd3 cb4e403927
1 changed files with 12 additions and 0 deletions
--- a/admin_manual/configuration_server/harden_server.rst
+++ b/admin_manual/configuration_server/harden_server.rst
@ -148,6 +148,18 @@ Administrators are encouraged to install ownCloud on a dedicated domain such as
 cloud.domain.tld instead of domain.tld to gain all the benefits offered by the 
 Same-Origin-Policy.

+Ensure that your ownCloud instance is installed in a DMZ
+--------------------------------------------------------
+
+As ownCloud supports features such as Federated File Sharing we do not consider
+Server Side Request Forgery (SSRF) part of our threat model. In fact, given all our
+external storage adapters this can be considered a feature and not a vulnerability.
+
+This means that a user on your ownCloud instance could probe whether other hosts
+are accessible from the ownCloud network. If you do not want this you need to 
+ensure that your ownCloud is properly installed in a segregated network and proper 
+firewall rules are in place.
+
 Serve security related Headers by the web server
 ------------------------------------------------