lolcreds

Public credential defaults and exposure patterns for authorized security testing.

ownCloud

ownCloudcollaboration3 credentials

Credentials3 documented
01

Instance Secret / Password Salt

owncloud / config-secret-and-salt

ownCloud config.php contains instance-specific values including passwordsalt and secret. ownCloud documents these configuration parameters alongside database and server settings.

generated on installsecretsecret value

Looks like

pattern
pattern

ownCloud config.php passwordsalt or secret entry

'(?:passwordsalt|secret)'\s*=>\s*'[^']+'\s*[,;]

Location

config file
config/config.php

ownCloud instance configuration containing secret and passwordsalt

secret store

deployment vaults, Kubernetes Secrets, and cloud secret managers

source code

committed config.php files, Helm values, and backups

artifact

instance backups and container images containing config.php

Notes

These values are not user passwords, but they are instance secret material used by ownCloud security mechanisms.

02

Database Credentials

owncloud / database-credentials

ownCloud config.php stores database settings such as dbtype, dbhost, dbname, dbuser, and dbpassword. These credentials connect the application to its database.

user definedsecretusername/password

Looks like

pattern
pattern

ownCloud config.php database password entry

'dbpassword'\s*=>\s*'[^']+'\s*[,;]

Location

config file
config/config.php

ownCloud database connection configuration

environment
MYSQL_PASSWORD, POSTGRES_PASSWORD, OWNCLOUD_DB_PASSWORD, DATABASE_URL
secret store

Docker/Kubernetes secrets, cloud secret managers, and database password vaults

source code

committed config.php files, Docker Compose files, Helm values, and tests

artifact

backups and container images containing config.php

logs

installer logs and database connection troubleshooting output

Notes

Database access can expose files metadata, user records, app passwords, shares, tokens, and application configuration.

03

User Password / App Token

owncloud / user-password-app-token

ownCloud users authenticate to the web UI and clients with user passwords or token-only authentication for apps and clients depending on policy. ownCloud documentation covers user management and reset workflows.

user definedsecretusername/password

Location

database

ownCloud database tables storing user, session, and app token verifier data

public interface
/login, WebDAV, OCS APIs

ownCloud login, sync, and API endpoints

config file

client sync config, app integration config, and local credential caches

secret store

password managers, CI/CD variables, and cloud secret managers

source code

integration scripts, tests, and accidentally committed client configs

logs

web server logs, sync client logs, and authentication troubleshooting output

Notes

App tokens should be revoked independently from the user's main password if exposed.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.