CIVI-SA-2019-01: Weak access-control for file attachments

2019-02-20 09:00
Written by

Most CiviCRM deployments manage access to file-attachments using a coarse-grained permission "access uploaded files".

In previous versions of CiviCRM, this access-control mechanism was overly permissive (and only secure in an unrealistically narrow range of use-cases). In newer versions, the permission "access uploaded files" remains a pre-requisite. Additionally, when downloading a file, the URL must include a signed access token. The token is generated by the server, and it provides access to a specific file for a limited time period.

Security Risk
Highly Critical
Access Bypass
Affected Versions

CiviCRM Versions 5.10.2 and earlier

Fixed Versions

CiviCRM Version 5.10.3 and 5.7.4


Upgrade to the latest CiviCRM version

NOTE: If you have an external integration which constructs URLs for file-attachments, then you may need to update it.

  • Updated support for Drupal Views is already included with the latest CiviCRM.
  • For other integrations, please use the Attachment.get API. The Attachment.get API provides a backward-compatible and forward-compatible way to determine the attachment's download URL (return=url) or raw content (return=content,mime_type), and it has improved support for transitive permissioning.

Guanhuan Chen of Compucorp for reporting of the issue

Seamus Lee of Australian Greens, Tim Otten of CiviCRM, and Eileen McNuaghton of Wikimedia for fixing the issue.