The 4.6.11 release of CiviCRM addresses an issue whereby directly accessing certain CiviCRM files could reveal the full path of the active CiviCRM installation.
This is Full Path Disclosure and while not directly exploitable, in combination with other attacks it may weaken the security of an installation.
For more information on this type of vulnerability, see OWASP's page on Full Path Disclosure.
- CiviCRM 4.6.10 and below
- CiviCRM 4.6.11
- Upgrade to CiviCRM 4.6.11 or later, OR
- Apply patch from CRM-17177: https://github.com/civicrm/civicrm-core/pull/7156
This issue was responsibly disclosed to CiviCRM by the Hewlett-Packard Fortify Open Review Project. For more information about the Fortify Open Review project, visit https://hpfod.com/open-source-review-project
This issue was resolved by Chris Burgess of Fuzion Aotearoa.