CIVI-SA-2016-01: Path disclosure

Published
2016-02-02 01:58
Written by

The 4.6.11 release of CiviCRM addresses an issue whereby directly accessing certain CiviCRM files could reveal the full path of the active CiviCRM installation.

This is Full Path Disclosure and while not directly exploitable, in combination with other attacks it may weaken the security of an installation.

For more information on this type of vulnerability, see OWASP's page on Full Path Disclosure.

Security Risk
Not Critical
Vulnerability
Other
Affected Versions
  • CiviCRM 4.6.10 and below
Fixed Versions
  • CiviCRM 4.6.11
Solutions
  • Upgrade to CiviCRM 4.6.11 or later, OR
  • Apply patch from CRM-17177: https://github.com/civicrm/civicrm-core/pull/7156
Credits

This issue was responsibly disclosed to CiviCRM by the Hewlett-Packard Fortify Open Review Project. For more information about the Fortify Open Review project, visit https://hpfod.com/open-source-review-project

This issue was resolved by Chris Burgess of Fuzion Aotearoa.