CIVI-SA-2016-18: Potential SQL injection in developer mode

Published
2016-08-31 23:42
Written by

Sites which use the Drupal 6 "devel" module with CiviCRM to log SQL queries may be vulnerable to a SQL injection. However, it is not clear if this vulnerability is exploitable.

Security Risk
Less Critical
Vulnerability
SQL Injection
Affected Versions

CiviCRM versions 4.6.20, 4.7.10 or previous

Fixed Versions

CiviCRM versions 4.6.21 and 4.7.21

Solutions

To fix this users should do one of the following

  • Upgrade to CiviCRM 4.6.21 or 4.7.11
  • Disable the "devel" module
  • Disable the "devel" module's SQL logging
  • Apply the patch as per https://github.com/civicrm/civicrm-packages/pull/154/files
Credits

Chris Burgess (Fuzion NZ) for reporting the issue.

Seamus Lee (Australian Greens) for fixing the issue.

References
  • https://issues.civicrm.org/jira/browse/CRM-18773 (Restricted Access)