In its default configuration, CiviCRM places some uploaded and server-generated data in the CMS's data folder (such as Drupal's "sites/default/files" or Joomla's "media"). This folder is web-accessible, but many of the documents processed by CiviCRM should not be web-accessible. If CiviCRM's data folders are not suitably protected from web access, then sensitive information may be disclosed.
CiviCRM v3.2+ includes a protective feature which automatically restricts web access by creating a ".htaccess" file. However, this protection requires suitable support and configuration in the webserver; for example, most Apache-based web servers support ".htaccess", but some Apache-based servers do not, and nginx-based web servers do not.
Specifically, CiviCRM includes four data folders which should have protections. You should determine the exact paths of these folders by checking the civicrm.settings.php file as well as "Administer CiviCRM => System Settings => Directories". As a rule of thumb, the typical path depends on the CMS:
|CMS||Code Name||Typical Path||Recommended Access Level||Determined By|
|Drupal||configAndLogDir||sites/default/files/civicrm/ConfigAndLog||Prohibit all web access||templateCompileDir|
|Drupal||imageUploadDir||sites/default/files/civicrm/persist/contribute||Prohibit browsing directory listings||"System Settings"|
|Drupal||templateCompileDir||sites/default/files/civicrm/templates_c||Prohibit all web access||civicrm.settings.php|
|Drupal||uploadDir||sites/default/files/civicrm/upload||Prohibit all web access||"System Settings"|
|Joomla||configAndLogDir||media/civicrm/ConfigAndLog||Prohibit all web access||templateCompileDir|
|Joomla||imageUploadDir||media/civicrm/persist/contribute||Prohibit browsing directory listings||"System Settings"|
|Joomla||templateCompileDir||media/civicrm/templates_c||Prohibit all web access||civicrm.settings.php|
|Joomla||uploadDir||media/civicrm/upload||Prohibit all web access||"System Settings"|
|WordPress||configAndLogDir||wp-content/plugins/files/civicrm/ConfigAndLog||Prohibit all web access||templateCompileDir|
|WordPress||imageUploadDir||wp-content/plugins/files/civicrm/persist/contribute||Prohibit browsing directory listings||"System Settings"|
|WordPress||templateCompileDir||wp-content/plugins/files/civicrm/templates_c||Prohibit all web access||civicrm.settings.php|
|WordPress||uploadDir||wp-content/plugins/files/civicrm/upload||Prohibit all web access||"System Settings"|
- CiviCRM version 4.4.3 and earlier
- CiviCRM LTS version 4.2.14 and earlier
- CiviCRM 4.4.4
- CiviCRM LTS 4.2.15
This release of CiviCRM introduces a self-diagnostic which advises site-administrators if CiviCRM is able to determine that the webserver is not currently protecting the CiviCRM data directories. (Diagnostic messages will be displayed when an administrator logs in and opens CiviCRM.) Additional changes related to this fix include generating blank index.html files in sensitive directories to prevent browsing.
Upgrading to CiviCRM v4.4.4+ will enable the self-diagnostic. However, one may manually diagnose problems by auditing the paths listed above. Resolving problems will require intervention by a system administrator.
To resolve issues with configAndLogDir, templateCompileDir, and uploadDir, one might:
- Move the sensitive data to a location outside the webroot (and update the configuration in civicrm.settings.php or Administer CiviCRM => System Settings => Directories).
- Modify the web-server configuration to enable per-directory ".htaccess" settings
- Modify the web-server configuration to blacklist particular directories or URLs
To resolve issues with imageUploadDir, one might:
- Create an empty "index.html" files inside "imageUploadDir"
- Modify the web-server configuration to disable file listings
Chris Burgess and Eileen McNaughton of Fuzion Aotearoa
Tim Otten of CiviCRM LLC