Details
-
Type:
Bug
-
Status: Open
-
Priority:
Trivial
-
Resolution: Unresolved
-
Affects Version/s: 4.4.0
-
Fix Version/s: Unscheduled
-
Component/s: None
-
Labels:None
-
Versioning Impact:Patch (backwards-compatible bug fixes)
-
Documentation Required?:Developer Doc
-
Sprint:4.7.10 Security, 4.7.12 Security
-
Funding Source:Needs Funding
Description
Storing CiviCRM.999AAABBBCCCDDDEEEFFF.log in a web-accessible location means that a large amount of debug data is available to potential attackers.
CiviCRM currently builds the path to ConfigAndLog dir based on the compiled templates path. Both of these files should be stored outside of web-accessible paths to avoid abuse.
Since this is already site-configurable, but it appears common practice to use web-accessible site directories, CiviCRM may need to provide better assistance to site administrators in selecting appropriate locations for these directories.
Attachments
Issue Links
- is supplemented by
-
-
- Done/Fixed
-