CIVI-SA-2016-15: Improve entropy of log file name

Publicat
2016-08-31 19:07
Written by

The CiviCRM log file is stored in data folder determined by the CMS. In all supported CMS's, this data folder defaults to world-readable, but CiviCRM needs to store logs confidentially. CiviCRM relies on two redundant protections to ensure that log files remain confidential:

  1. The web server should be configured to prohibit any remote access to the log folder. (This is a recommended practice but cannot be strongly enforced by CiviCRM across all installations. CiviCRM generates warnings if your web server is configured insecurely.)
  2. The filenames within the log folder include a hash-code which makes them hard-to-guess.

If the first layer of security is in tact, then your system is secure. However, if a configuration error or oversight compromises the first layer of security, then you may be affected by issues in the second layer of security. CiviCRM v4.7.11 and v4.6.21 improves the second layer of security by changing the hash-code.

Tip: If you have configured log-rotation or log-aggregation, then your configuration may rely on the old hash-code. After upgrading, double-check that your log-rotation/log-aggregation configuration is up-to-date.

Security Risk
Less Critical
Vulnerability
Information Disclosure
Affected Versions

Up through v4.6.20 and v4.7.10

 

Fixed Versions

v4.6.21+ and v4.7.11+

 

Solutions

Any ONE of the following:

  • Upgrade to CiviCRM v4.6.21+ or v4.7.11+
  • Ensure that the HTTP server prohibits access to the "ConfigAndLog" folder
  • Ensure that the credentials used for CIVICRM_DSN have a unique, hard-to-guess password
  • Backport https://github.com/civicrm/civicrm-core/pull/8514
Credits
  • Chris Burgess (Fuzion)
  • Tim Otten (CiviCRM)