ownCloud
ownCloudcollaboration3 credentials
Instance Secret / Password Salt
owncloud / config-secret-and-salt
ownCloud config.php contains instance-specific values including passwordsalt and secret. ownCloud documents these configuration parameters alongside database and server settings.
Looks like
pattern'(?:passwordsalt|secret)'\s*=>\s*'[^']+'\s*[,;]Location
config/config.phpownCloud instance configuration containing secret and passwordsalt
deployment vaults, Kubernetes Secrets, and cloud secret managers
committed config.php files, Helm values, and backups
instance backups and container images containing config.php
Notes
These values are not user passwords, but they are instance secret material used by ownCloud security mechanisms.
Database Credentials
owncloud / database-credentials
ownCloud config.php stores database settings such as dbtype, dbhost, dbname, dbuser, and dbpassword. These credentials connect the application to its database.
Looks like
pattern'dbpassword'\s*=>\s*'[^']+'\s*[,;]Location
config/config.phpownCloud database connection configuration
MYSQL_PASSWORD, POSTGRES_PASSWORD, OWNCLOUD_DB_PASSWORD, DATABASE_URLDocker/Kubernetes secrets, cloud secret managers, and database password vaults
committed config.php files, Docker Compose files, Helm values, and tests
backups and container images containing config.php
installer logs and database connection troubleshooting output
Notes
Database access can expose files metadata, user records, app passwords, shares, tokens, and application configuration.
User Password / App Token
owncloud / user-password-app-token
ownCloud users authenticate to the web UI and clients with user passwords or token-only authentication for apps and clients depending on policy. ownCloud documentation covers user management and reset workflows.
Location
ownCloud database tables storing user, session, and app token verifier data
/login, WebDAV, OCS APIsownCloud login, sync, and API endpoints
client sync config, app integration config, and local credential caches
password managers, CI/CD variables, and cloud secret managers
integration scripts, tests, and accidentally committed client configs
web server logs, sync client logs, and authentication troubleshooting output
Notes
App tokens should be revoked independently from the user's main password if exposed.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.