From f8fe4dfeae7270819815893d9907dee0bfba56f3 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Sat, 22 Aug 2015 12:54:43 +0200 Subject: [PATCH 1/3] Add note about installing ownCloud in a DMZ --- admin_manual/configuration_server/harden_server.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/admin_manual/configuration_server/harden_server.rst b/admin_manual/configuration_server/harden_server.rst index 88e8716ef..efe37ccd2 100644 --- a/admin_manual/configuration_server/harden_server.rst +++ b/admin_manual/configuration_server/harden_server.rst @@ -146,6 +146,18 @@ Administrators are encouraged to install ownCloud on a dedicated domain such as cloud.domain.tld instead of domain.tld to gain all the benefits offered by the Same-Origin-Policy. +Ensure that your ownCloud instance is installed in a DMZ +-------------------------------------------------------- + +As ownCloud supports features such as Federated File Sharing we do not consider +Server Side Request Forgery (SSRF) part of our threat model. In fact, given all our +external storage adapters this can be considered a feature and not a vulnerability. + +This means that an user on your ownCloud instance could probe whether other hosts +are accessible from the ownCloud network. If you do not want this you need to +ensure that your ownCloud is properly installed in a seggregated network and proper +firewall rules are in place. + Serve security related Headers by the web server ------------------------------------------------ From 1a75869f7e88ce3164233c4e5d86ab7d1c8d5740 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Sat, 22 Aug 2015 15:57:49 +0200 Subject: [PATCH 2/3] Fix typo --- admin_manual/configuration_server/harden_server.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admin_manual/configuration_server/harden_server.rst b/admin_manual/configuration_server/harden_server.rst index efe37ccd2..5c3a35bcb 100644 --- a/admin_manual/configuration_server/harden_server.rst +++ b/admin_manual/configuration_server/harden_server.rst @@ -155,7 +155,7 @@ external storage adapters this can be considered a feature and not a vulnerabili This means that an user on your ownCloud instance could probe whether other hosts are accessible from the ownCloud network. If you do not want this you need to -ensure that your ownCloud is properly installed in a seggregated network and proper +ensure that your ownCloud is properly installed in a segregated network and proper firewall rules are in place. Serve security related Headers by the web server From cb4e4039277efe8ab386ddcb573869b924dafef0 Mon Sep 17 00:00:00 2001 From: Carla Schroder Date: Sat, 29 Aug 2015 11:57:13 +0200 Subject: [PATCH 3/3] Update harden_server.rst --- admin_manual/configuration_server/harden_server.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admin_manual/configuration_server/harden_server.rst b/admin_manual/configuration_server/harden_server.rst index 5c3a35bcb..241e323df 100644 --- a/admin_manual/configuration_server/harden_server.rst +++ b/admin_manual/configuration_server/harden_server.rst @@ -153,7 +153,7 @@ As ownCloud supports features such as Federated File Sharing we do not consider Server Side Request Forgery (SSRF) part of our threat model. In fact, given all our external storage adapters this can be considered a feature and not a vulnerability. -This means that an user on your ownCloud instance could probe whether other hosts +This means that a user on your ownCloud instance could probe whether other hosts are accessible from the ownCloud network. If you do not want this you need to ensure that your ownCloud is properly installed in a segregated network and proper firewall rules are in place.