CIVI-SA-2013-003 - Custom Search Permissions

Published
2013-06-05 09:49
Written by

CiviCRM v2+ includes a "Custom Search" system which allows administrators to register customized search forms and includes some default custom-searches (e.g. "Find Contribution Amounts by Tag"). CiviCRM also supports role-based access controls using permissions like "access CiviContribute" or "access CiviEvent". For the default custom-searches, CiviCRM does not enforce the expected role-based access controls.

For example: If a security policy grants a user permission to view the CiviCRM backend ("access CiviCRM") but denies permission to view contribution data ("access CiviContribute"), then the user may still access contribution data through a custom-search.

This vulnerability is mitigated by the fact that the access controls can only be bypassed by users with the permission "access CiviCRM".

Security Risk
Less Critical
Vulnerability
Access Bypass
Affected Versions

CiviCRM v2.0.0 - v4.2.9, v4.3.0 - v4.3.3

Fixed Versions

CiviCRM v4.2.10 and v4.3.4

Solutions

Any ONE of the following solutions will provide protection:

  • Upgrade to CiviCRM 4.2.10 or v4.3.4+
  • Disable any custom searches which should not be generally accessible by backend/staff users. (Custom searches may be disabled by navigating to "Administer => Customize Data and Screens => Manage Custom Searches".)
Credits
  • Sarah Gladstone (Pogstone Inc)
  • Pratik Joshi (CiviCRM LLC)
  • Donald Lobo (CiviCRM LLC)
CVE
CVE-2013-4661