CIVI-SA-2016-16: Improve permissions for SQL imports

2016-08-25 14:56
Written by

CiviCRM allows users to import contacts using CSV or SQL. Prior to 4.7.11 (or 4.6.21), the permission "import contacts" allowed users to import by any means -- either CSV or SQL. A user with this permission could use it to bypass ACL rules. Beginning with 4.7.11+ (or 4.6.21+), there is now a separate permission "import SQL datasource". If you want your users to be able to import contacts using SQL, you must now grant both permissions ("import contacts" and "import SQL datasource"). It is the recommendation that the permission should only be given to the most trust worthy users. 

Security Risk
Access Bypass
Affected Versions

CiviCRM Versions prior to 4.7.11 or 4.6.21

Fixed Versions

CiviCRM Versions 4.7.11 or greater, or 4.6.21 or greater


Any ONE of the following should provide protection:


Chris Burgess (Fuzion) for identifying the issue

Tim Otten (CiviCRM) for fixing the issue