Security Risk: 
Less Critical
Vulnerability: 
Information Disclosure
Affected Versions: 

Up through v4.6.20 and v4.7.10

 

Fixed Versions: 

v4.6.21+ and v4.7.11+

 

Publication Date: 
Wednesday, September 7, 2016
Description: 

The CiviCRM log file is stored in data folder determined by the CMS. In all supported CMS's, this data folder defaults to world-readable, but CiviCRM needs to store logs confidentially. CiviCRM relies on two redundant protections to ensure that log files remain confidential:

  1. The web server should be configured to prohibit any remote access to the log folder. (This is a recommended practice but cannot be strongly enforced by CiviCRM across all installations. CiviCRM generates warnings if your web server is configured insecurely.)
  2. The filenames within the log folder include a hash-code which makes them hard-to-guess.

If the first layer of security is in tact, then your system is secure. However, if a configuration error or oversight compromises the first layer of security, then you may be affected by issues in the second layer of security. CiviCRM v4.7.11 and v4.6.21 improves the second layer of security by changing the hash-code.

Tip: If you have configured log-rotation or log-aggregation, then your configuration may rely on the old hash-code. After upgrading, double-check that your log-rotation/log-aggregation configuration is up-to-date.

Solutions: 

Any ONE of the following:

  • Upgrade to CiviCRM v4.6.21+ or v4.7.11+
  • Ensure that the HTTP server prohibits access to the "ConfigAndLog" folder
  • Ensure that the credentials used for CIVICRM_DSN have a unique, hard-to-guess password
  • Backport https://github.com/civicrm/civicrm-core/pull/8514
Credits: 
  • Chris Burgess (Fuzion)
  • Tim Otten (CiviCRM)