CIVI-SA-2016-01: Path disclosure

The 4.6.11 release of CiviCRM addresses an issue whereby directly accessing certain CiviCRM files could reveal the full path of the active CiviCRM installation.

This is Full Path Disclosure and while not directly exploitable, in combination with other attacks it may weaken the security of an installation.

For more information on this type of vulnerability, see OWASP's page on Full Path Disclosure.

Security Risk

Not Critical

Vulnerability

Other

Affected Versions

CiviCRM 4.6.10 and below

Fixed Versions

CiviCRM 4.6.11

Solutions

Upgrade to CiviCRM 4.6.11 or later, OR
Apply patch from CRM-17177: https://github.com/civicrm/civicrm-core/pull/7156

Credits

This issue was responsibly disclosed to CiviCRM by the Hewlett-Packard Fortify Open Review Project. For more information about the Fortify Open Review project, visit https://hpfod.com/open-source-review-project

This issue was resolved by Chris Burgess of Fuzion Aotearoa.

CIVI-SA-2016-01: Path disclosure

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Idiomas

CIVI-SA-2016-01: Path disclosure

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM