In CiviCRM 4.4.4 there was introduced a check if some sensitive directories are downloadable (https://civicrm.org/advisory/civi-sa-2014-001-risk-information-disclosure), which results in security warnings on a BOA system:

Security Warning
The CiviCRM debug log should not be downloadable.

Security Warning
Files in the upload directory should not be downloadable.

To prevent access, there should be a rule similar to this in the nginx conf (untested, see http://forum.civicrm.org/index.php?topic=31570.0): 

location ~ ^/sites/.*/files/civicrm/(ConfigAndLog|upload|templates_c) {
    deny all;
  }

I'm not sure if this can be implemented by default, as the civicrm files directory paths can be changed, but to tighten security and get rid of the annoying warnings, a solution would be nice.

Comments

omega8cc’s picture

omega8cc CreditAttribution: omega8cc commented
Status: Active » Fixed

Committed in http://drupalcode.org/project/octopus.git/commit/56bcb63 (but not in provision yet)

Thanks.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.