CIVI-SA-2016-18: Potential SQL injection in developer mode

Published

2016-08-31 23:42

Written by

seamuslee

Sites which use the Drupal 6 "devel" module with CiviCRM to log SQL queries may be vulnerable to a SQL injection. However, it is not clear if this vulnerability is exploitable.

Security Risk

Less Critical

Vulnerability

SQL Injection

Affected Versions

CiviCRM versions 4.6.20, 4.7.10 or previous

Fixed Versions

CiviCRM versions 4.6.21 and 4.7.21

Solutions

To fix this users should do one of the following

Upgrade to CiviCRM 4.6.21 or 4.7.11
Disable the "devel" module
Disable the "devel" module's SQL logging
Apply the patch as per https://github.com/civicrm/civicrm-packages/pull/154/files

Credits

Chris Burgess (Fuzion NZ) for reporting the issue.

Seamus Lee (Australian Greens) for fixing the issue.

References

https://issues.civicrm.org/jira/browse/CRM-18773 (Restricted Access)

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2016-18: Potential SQL injection in developer mode

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2016-18: Potential SQL injection in developer mode

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM