Security Risk: 
Not Critical
Vulnerability: 
Information Disclosure
Affected Versions: 
  • CiviCRM version 4.4.3 and earlier
  • CiviCRM LTS version 4.2.14 and earlier
Fixed Versions: 
  • CiviCRM 4.4.4
  • CiviCRM LTS 4.2.15
Publication Date: 
Thursday, February 6, 2014
Description: 

In its default configuration, CiviCRM places some uploaded and server-generated data in the CMS's data folder (such as Drupal's "sites/default/files" or Joomla's "media"). This folder is web-accessible, but many of the documents processed by CiviCRM should not be web-accessible. If CiviCRM's data folders are not suitably protected from web access, then sensitive information may be disclosed.

CiviCRM v3.2+ includes a protective feature which automatically restricts web access by creating a ".htaccess" file. However, this protection requires suitable support and configuration in the webserver; for example, most Apache-based web servers support ".htaccess", but some Apache-based servers do not, and nginx-based web servers do not.

Specifically, CiviCRM includes four data folders which should have protections. You should determine the exact paths of these folders by checking the civicrm.settings.php file as well as "Administer CiviCRM => System Settings => Directories". As a rule of thumb, the typical path depends on the CMS:

CMS Code Name Typical Path Recommended Access Level Determined By
Drupal configAndLogDir sites/default/files/civicrm/ConfigAndLog Prohibit all web access templateCompileDir
Drupal imageUploadDir sites/default/files/civicrm/persist/contribute Prohibit browsing directory listings "System Settings"
Drupal templateCompileDir sites/default/files/civicrm/templates_c Prohibit all web access civicrm.settings.php
Drupal uploadDir sites/default/files/civicrm/upload Prohibit all web access "System Settings"
Joomla configAndLogDir media/civicrm/ConfigAndLog Prohibit all web access templateCompileDir
Joomla imageUploadDir media/civicrm/persist/contribute Prohibit browsing directory listings "System Settings"
Joomla templateCompileDir media/civicrm/templates_c Prohibit all web access civicrm.settings.php
Joomla uploadDir media/civicrm/upload Prohibit all web access "System Settings"
WordPress configAndLogDir wp-content/plugins/files/civicrm/ConfigAndLog Prohibit all web access templateCompileDir
WordPress imageUploadDir wp-content/plugins/files/civicrm/persist/contribute Prohibit browsing directory listings "System Settings"
WordPress templateCompileDir wp-content/plugins/files/civicrm/templates_c Prohibit all web access civicrm.settings.php
WordPress uploadDir wp-content/plugins/files/civicrm/upload Prohibit all web access "System Settings"

 

Solutions: 

This release of CiviCRM introduces a self-diagnostic which advises site-administrators if CiviCRM is able to determine that the webserver is not currently protecting the CiviCRM data directories. (Diagnostic messages will be displayed when an administrator logs in and opens CiviCRM.) Additional changes related to this fix include generating blank index.html files in sensitive directories to prevent browsing.

Upgrading to CiviCRM v4.4.4+ will enable the self-diagnostic. However, one may manually diagnose problems by auditing the paths listed above. Resolving problems will require intervention by a system administrator.

To resolve issues with configAndLogDir, templateCompileDir, and uploadDir, one might:

  • Move the sensitive data to a location outside the webroot (and update the configuration in civicrm.settings.php or Administer CiviCRM => System Settings => Directories).
  • Modify the web-server configuration to enable per-directory ".htaccess" settings
  • Modify the web-server configuration to blacklist particular directories or URLs

To resolve issues with imageUploadDir, one might:

  • Create an empty "index.html" files inside "imageUploadDir"
  • Modify the web-server configuration to disable file listings
Credits: 

Chris Burgess and Eileen McNaughton of Fuzion Aotearoa

Tim Otten of CiviCRM LLC