CIVI-SA-2016-16: Improve permissions for SQL imports

Publicat
2016-08-25 14:56
Written by

CiviCRM allows users to import contacts using CSV or SQL. Prior to 4.7.11 (or 4.6.21), the permission "import contacts" allowed users to import by any means -- either CSV or SQL. A user with this permission could use it to bypass ACL rules. Beginning with 4.7.11+ (or 4.6.21+), there is now a separate permission "import SQL datasource". If you want your users to be able to import contacts using SQL, you must now grant both permissions ("import contacts" and "import SQL datasource"). It is the recommendation that the permission should only be given to the most trust worthy users. 

Security Risk
Critical
Vulnerability
Access Bypass
Affected Versions

CiviCRM Versions prior to 4.7.11 or 4.6.21

Fixed Versions

CiviCRM Versions 4.7.11 or greater, or 4.6.21 or greater

Solutions

Any ONE of the following should provide protection:

  • Upgrade to CiviCRM 4.7.11 or greater, or CiviCRM 4.6.21 or greater.
  • Revoke permission "import contacts" from any users you do not fully trust
  • Backport https://github.com/civicrm/civicrm-core/pull/8922
Credits

Chris Burgess (Fuzion) for identifying the issue

Tim Otten (CiviCRM) for fixing the issue

References
  • https://issues.civicrm.org/jira/browse/CRM-15925 (restricted access)