CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Discussion (deprecated) »
  • Feature Requests and Suggestions (Moderator: Dave Greenberg) »
  • Create dummy index.html file in all CiviCRM directories
Pages: [1]

Author Topic: Create dummy index.html file in all CiviCRM directories  (Read 7243 times)

sureddin

  • Guest
Create dummy index.html file in all CiviCRM directories
August 31, 2008, 01:53:58 pm
In Joomla, every directory has a dummy index.html file that prevents enumeration and display of files in a directory.  It seems that CiviCRM does not do that.

While, I don't see an explicit security issue with the current CiviCRM setup, having the dummy index.html file in every CiviCRM directory/subdirectory seems to limit basic information exposure of files on the site, and more particularly if someone started modifying CiviCRM files, the new filenames would not be readily accessible as it is now.

Thanks
Paul
« Last Edit: August 31, 2008, 01:56:07 pm by sureddin »

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Create dummy index.html file in all CiviCRM directories
August 31, 2008, 03:08:35 pm
Quote from: sureddin on August 31, 2008, 01:53:58 pm
In Joomla, every directory has a dummy index.html file that prevents enumeration and display of files in a directory.  It seems that CiviCRM does not do that.

In general, this should be done at the webserver level preferably (restrict directory access). I'm not sure its a good idea for an application to add index.html to all directories, especially considering the number of directories and external packages civicrm uses

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

sureddin

  • Guest
Re: Create dummy index.html file in all CiviCRM directories
August 31, 2008, 03:37:20 pm
Thanks Donald:

I have modified the ".htaccess" file for my site to include:

Options -Indexes

Which takes care of the file enumeration, but I will need to test to make sure that no other components are affected.

Paul

speleo

  • Ask me questions
  • ****
  • Posts: 396
  • Karma: 28
  • CiviCRM version: 4.3.1
  • CMS version: J! 2.5,9
  • MySQL version: 5.1
  • PHP version: 5.3.24
Re: Create dummy index.html file in all CiviCRM directories
September 01, 2008, 12:39:25 am
Hi Paul,

Can you let us know if this works for you.

ken

  • I live on this forum
  • *****
  • Posts: 916
  • Karma: 53
    • City Bible Forum
  • CiviCRM version: 4.6.3
  • CMS version: Drupal 7.36
  • MySQL version: 5.5.41
  • PHP version: 5.3.10
Re: Create dummy index.html file in all CiviCRM directories
September 28, 2008, 01:26:31 am
Folks,

I've just placed a .htaccess file in the administrator/components/com_civicrm directory of my test server. All it contains is the line 'Options -Indexes'.

The functionality works, except for the Contact Search widget (no Ajax calls), and the CSS doesn't appear to work.

Ken

ken

  • I live on this forum
  • *****
  • Posts: 916
  • Karma: 53
    • City Bible Forum
  • CiviCRM version: 4.6.3
  • CMS version: Drupal 7.36
  • MySQL version: 5.5.41
  • PHP version: 5.3.10
Re: Create dummy index.html file in all CiviCRM directories
September 28, 2008, 02:18:19 am
I note that all the other extensions in my Joomla! installation have a blank index.html in each subdirectory. It seems to be the standard.

I appreciate why lobo might not want to add an index.html to each directory (does Drupal have the same issue?). However it might be wise to add the following pseudo-code to the Joomla installer ...

Code: [Select]
Starting at /administrator/components/com_civicrm and repeating for each sub-directory
    If directory doesn't contain index.html or index.php
        Create an index.html file containing '<html><body></body></html>'
Repeat at /components/com_civicrm

Ken
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Discussion (deprecated) »
  • Feature Requests and Suggestions (Moderator: Dave Greenberg) »
  • Create dummy index.html file in all CiviCRM directories

This forum was archived on 2017-11-26.