GROWING AND SUSTAINING RELATIONSHIPS

Newsletter Signup

You are here

CIVI-SA-2013-003 - Custom Search Permissions

Security Risk: 

Less Critical

Vulnerability: 

Access Bypass

Affected Versions: 

CiviCRM v2.0.0 - v4.2.9, v4.3.0 - v4.3.3

Fixed Versions: 

CiviCRM v4.2.10 and v4.3.4

Publication Date: 

Monday, June 10, 2013

Description: 

CiviCRM v2+ includes a "Custom Search" system which allows administrators to register customized search forms and includes some default custom-searches (e.g. "Find Contribution Amounts by Tag"). CiviCRM also supports role-based access controls using permissions like "access CiviContribute" or "access CiviEvent". For the default custom-searches, CiviCRM does not enforce the expected role-based access controls.

For example: If a security policy grants a user permission to view the CiviCRM backend ("access CiviCRM") but denies permission to view contribution data ("access CiviContribute"), then the user may still access contribution data through a custom-search.

This vulnerability is mitigated by the fact that the access controls can only be bypassed by users with the permission "access CiviCRM".

Solutions: 

Any ONE of the following solutions will provide protection:

  • Upgrade to CiviCRM 4.2.10 or v4.3.4+
  • Disable any custom searches which should not be generally accessible by backend/staff users. (Custom searches may be disabled by navigating to "Administer => Customize Data and Screens => Manage Custom Searches".)

Credits: 

  • Sarah Gladstone (Pogstone Inc)
  • Pratik Joshi (CiviCRM LLC)
  • Donald Lobo (CiviCRM LLC)
CVE: 
randomness