Published
2015-02-28 22:02
By default, CiviCRM records log entries in a flat text file. Optionally, log entries may be directed to Drupal's watchdog() service. If this option is enabled, and if a log entry includes user-supplied data, the user-supplied data may not be correctly encoded. When an administrator browses the log entries, they may be exposed to a cross-site scripting attack.
Security Risk
Moderately Critical
Vulnerability
Cross Site Scripting
Affected Versions
CiviCRM v4.5.0 - v4.5.6
CiviCRM v4.4.0 - v4.4.12
CiviCRM v4.3.0 - v4.3.10
CiviCRM v4.2.0 - v4.2.19
(Older versions: Unassessed)
Fixed Versions
CiviCRM v4.5.7+, v4.4.13+, v4.3.11+, and v4.2.20+
Solutions
Any ONE of the following should provide forward protection:
- Upgrade to CiviCRM v4.5.7+, v4.4.13+, v4.3.11+, or v4.2.20+
- In "Administer => System Settings => Debugging and Error Handling", disable the integration with Drupal watchdog.
Additionally, you may want to protect against malicious log entries that could have been created before, e.g.
- Make an archival backup of the Drupal watchdog table (e.g. "mysqldump DRUPALDB watchdog > /var/backups/old_watchdog.sql") and then truncate the table (in MySQL "TRUNCATE watchdog"). If you need to access the old watchdog records, review the old_watchdog.sql.
- Search the table for any messages that include markup and review them for safety (e.g. "SELECT * FROM watchdog WHERE message LIKE '%<%'"). Delete or clean suspicious records.
Credits
- John Prescott and David Knoll (Future First)
- Eileen McNaughton and Chris Burgess (Fuzion)
