CIVI-SA-2016-18: Potential SQL injection in developer mode
Submitted by seamuslee on August 31, 2016 - 23:42Sites which use the Drupal 6 "devel" module with CiviCRM to log SQL queries may be vulnerable to a SQL injection. However, it is not clear if this vulnerability is exploitable.
CIVI-SA-2016-17: Manage CSRF overrides for external profile forms
Submitted by totten on August 31, 2016 - 20:52CiviCRM allows administrators to define custom profile-forms in which constituents enter their names, addresses, custom data, etc. CiviCRM is designed to embed all its forms within a CMS (such as Drupal, Joomla, or WordPress), but some administrators also need to embed profile-forms in an external site or custom HTML document. This has sometimes been accomplished with an "HTML Snippet" technique -- the bare, literal HTML code for a profile-form is manually copied and pasted to an external web site.
CIVI-SA-2016-15: Improve entropy of log file name
Submitted by totten on August 31, 2016 - 19:07The CiviCRM log file is stored in data folder determined by the CMS. In all supported CMS's, this data folder defaults to world-readable, but CiviCRM needs to store logs confidentially. CiviCRM relies on two redundant protections to ensure that log files remain confidential:
CIVI-SA-2016-14: Improve permissions on backend scripts
Submitted by totten on August 31, 2016 - 17:51CiviCRM includes a handful of backend scripts (bin/migrate/*.php and bin/encryptDB.php) which facilitate some special workflows (such as migrating site-configurations and obfuscating the database). These scripts include security protections, but -- depending on your organizational policies -- these protections may be inadequate. CiviCRM v4.7.11+ tightens access to these scripts.
Who is impacted?
In older versions, the security of these scripts rests on three things: a username, a password, and the site-key.
CIVI-SA-2016-11: Potential backtrace leak
Submitted by totten on August 31, 2016 - 16:20An automated security audit (based on static code analysis of the CiviCRM codebase) indicated that a dependency (PEAR CLI from the "packages" folder) could potentially reveal semi-sensitive backtrace data if an attacker could run it and provoke an error.
An exploit of this has not been identified.
As a precautionary measure, CiviCRM v4.7.11 removes PEAR CLI.
CIVI-SA-2016-16: Improve permissions for SQL imports
Submitted by seamuslee on August 25, 2016 - 14:56CiviCRM allows users to import contacts using CSV or SQL. Prior to 4.7.11 (or 4.6.21), the permission "import contacts" allowed users to import by any means -- either CSV or SQL. A user with this permission could use it to bypass ACL rules. Beginning with 4.7.11+ (or 4.6.21+), there is now a separate permission "import SQL datasource". If you want your users to be able to import contacts using SQL, you must now grant both permissions ("import contacts" and "import SQL datasource").
CIVI-SA-2016-13: Improve secure flags on cookies
Submitted by xurizaemon on August 23, 2016 - 15:55CiviCRM previously did not set secure flags to restrict cookies to SSL where appropriate. This was not a security risk by itself, but the change is being made and notified in security release information as part of a wider "defense in depth" process within CiviCRM.
CIVI-SA-2016-12: SQL injection in API
Submitted by xurizaemon on August 23, 2016 - 15:19A SQL injection vulnerability in CiviCRM's API was identified, where an API parameter was identified as being passed directly to SQL.
This is mitigated by the fact that the remote user must have some elevated permissions to exploit the vulnerability. CiviCRM recommends that all sites upgrade to obtain this and other recent fixes.
CIVI-SA-2016-10: Insufficient permissions checking when editing own comment
Submitted by xurizaemon on June 1, 2016 - 14:26An access bypass was identified where if a user was permitted only the "View own contact" permission in the CMS, they were also able to edit their own contact. This bypass of permissions checking did not extend to other contacts in CiviCRM.
CIVI-SA-2016-09: Risk of information disclosure in packaged library
Submitted by xurizaemon on June 1, 2016 - 14:13A potential for information disclosure was identified in a packaged library, HTML TreeBuilder.
CiviCRM now patches the TreeBuilder library to direct debug output to the CiviCRM debug log, rather than to screen.
CIVI-SA-2016-08: Persistent XSS in CiviCRM backend
Submitted by totten on May 3, 2016 - 14:39This release addresses an issue where it was possible to deliver a cross-site scripting attack through the CiviCRM backend.
To exploit this vulnerability, both the attacker and victim need permission to access the CiviCRM backend, and the victim must visit a specific screen.
For more information about this type of vulnerability, see OWASP's page on Cross Site Scripting.
CIVI-SA-2016-07: SQL Injections in AJAX callbacks
Submitted by totten on May 3, 2016 - 14:16Multiple SQL injections have been identified in AJAX helpers supporting backend forms. An exploit has been demonstrated. Executing an exploit requires a user account with some kind of CiviCRM permission (such as "access CiviCRM" or "view my contact").
CIVI-SA-2016-06: Bundled TCPDF library update
Submitted by xurizaemon on March 1, 2016 - 18:58A bundled library, TCPDF, had a recent security flaw patched. This vulnerability permitted a malicious user to make the PDF library perform unexpected actions, potentially permitting data disclosure. This was mitigated by the fact that only administrative users have access to the PDF generation functionality which uses TCPDF.
CIVI-SA-2016-05: Privilege escalation by backend users
Submitted by totten on February 29, 2016 - 12:38In some configurations, a malicious backend user may be able to impersonate another backend user. Some conditions must be met to be exploitable:
- The malicious backend user must already have write-access to the target user's contact record.
- The malicious backend user must know the CIVICRM_SITE_KEY.
CIVI-SA-2016-04: SQL injection in CiviCRM installer
Submitted by xurizaemon on February 2, 2016 - 02:17The CiviCRM installer was potentially vulnerable to SQL injection.
CIVI-SA-2016-03: Multiple vulnerabilties in DOMPDF
Submitted by xurizaemon on February 2, 2016 - 02:12The 4.6.11 release of CiviCRM addresses multiple vulnerabilities in DOMPDF, a library used within CiviCRM to generate PDFs.
For more information, see the DOMPDF release notes for DOMPDF v0.6.2
CIVI-SA-2016-02: Access bypass
Submitted by xurizaemon on February 2, 2016 - 02:06The 4.6.11 release of CiviCRM addresses an issue whereby users with limited administrative rights (data viewing) were able to modify certain fields within CiviCRM.
CIVI-SA-2016-01: Path disclosure
Submitted by xurizaemon on February 2, 2016 - 01:58The 4.6.11 release of CiviCRM addresses an issue whereby directly accessing certain CiviCRM files could reveal the full path of the active CiviCRM installation.
This is Full Path Disclosure and while not directly exploitable, in combination with other attacks it may weaken the security of an installation.
For more information on this type of vulnerability, see OWASP's page on Full Path Disclosure.
CIVI-SA-2015-011: Reflected XSS in Error Message
Submitted by totten on November 3, 2015 - 12:40This release addresses an issue where it was possible to deliver XSS by directing a user to a CiviCRM URL which triggered a fatal error. The issue has been addressed by correctly escaping output from CiviCRM's fatal error handler.
For more information about this type of vulnerability, see OWASP's page on Cross Site Scripting.
CIVI-SA-2015-010: Version information disclosure
Submitted by colemanw on November 2, 2015 - 12:56The CiviCRM footer may have been displayed to users without "access CiviCRM" permission under certain conditions. The footer shows limited version information and upgrade notifications, which could be used by an attacker to identify vulnerabilities based on whether the installed version is up-to-date.
CIVI-SA-2015-009: Incorrect escaping of user input
Submitted by colemanw on September 27, 2015 - 19:26There was a bug in one of CiviCRM's internal type checks which may allow inappropriate user input to be saved to the database and/or displayed.
This was a general weakness in one of CiviCRM's security layers; no specific exploits of this have been identified. This type of vulnerability could potentially allow attackers to save malicious content to the database or display it to site users.
CIVI-SA-2015-008: ACL bypass in 4.6.7
Submitted by xurizaemon on August 26, 2015 - 14:46CiviCRM 4.6.7 introduced an access bypass issue which applied a limited number of sites.
The issue affected only certain configurations, where the site used ACLs to limit access, and applied to users whose permissions included “access CiviCRM” and “view my contact” but not “view all contacts”. Changes introduced in CRM-16512 allowed the “view my contact” permission for those users to incorrectly grant access to all contacts.
CIVI-SA-2015-007: Open redirect in post-form display
Submitted by xurizaemon on August 19, 2015 - 05:09The contribution page's return URL could be used to redirect site visitors to another URL.
For more information about this type of attack, see OWASP's reference page on open redirects.
CIVI-SA-2015-006: XSS in fatal error handler
Submitted by xurizaemon on August 19, 2015 - 05:01This release addresses an issue where it was possible to deliver XSS by directing a user to a CiviCRM URL which triggered a fatal error. The issue has been addressed by correctly escaping output from CiviCRM's fatal error handler.
For more information about this type of vulnerability, see OWASP's page on Cross Site Scripting.
CIVI-SA-2015-005 - SQL Injection in CiviMail Backend
Submitted by totten on March 4, 2015 - 12:15The backend CiviMail composition screen includes an input field which is passed to a SQL query without proper escaping.
An exploit of this vulnerability in CiviCRM has not been identified. Additional filters apply to the field which block a number of SQL control characters. Never-the-less, it could potentially be combined with other vulnerabilities, and we're issuing a patch as a precaution.
