Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Minor
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.3.8, 4.4.3
-
Fix Version/s: 4.4.5
-
Component/s: Core CiviCRM
-
Security Level: Security - Published
-
Labels:None
Description
It seems there are still some predictable filenames which lead to exposed contact data via Google dorks.
https://www.google.com/search?q=inurl%3Acivicrm%2Fupload%2FsqlImport.duplicates
https://www.google.com/search?q=inurl%3Acivicrm%2Fupload%2FsqlImport.errors
https://www.google.com/search?q=inurl%3Afiles%2Fcivicrm%2Fupload+csv
https://www.google.com/search?q=inurl:files%2Fcivicrm+configandlog
https://www.google.com/search?q=inurl:civicrm%2Fupload+csv
Pretty sure we’ve run into this (or similar) issues once or twice before?
Discussed on security@civicrm.org with Tim Otten - a couple of suggestions came from that.
1. Only put public files in public-facing web directory, eg media uploaded via RTE for civimails, contrib pages, event rego pages. Maybe generated CSS/JS files (not currently, but future). Other files should be routed via CiviCRM (eg /civicrm/file?collection=pdfs&id=123.pdf) and trigger permissions checks.
This won't happen for 4.4, so we might need to consider intermediate fixes.
2. Test access controls are working (eg the .htaccess created in ConfigAndLog correctly prevents listing files at http://example.org/sites/default/files/civicrm/ConfigAndLog), report to site admin if retrieving the URL contains filenames known to be in that directory.
3. Generate blank index.html files for all directories and subdirectories to prevent listing of files.
