CIVI-SA-2014-003 - Insecure handling of profile settings

Pubblicato
2014-07-01 16:43
Written by

The CiviCRM Profile subsystem allows administrators to design customized forms. The subsystem includes some advanced workflow settings which are not securely handled. By submitting a custom-crafted form to the Profile subsystem, an attacker may manipulate these settings. This vulnerability can be leveraged to acquire escalated privileges and (possibly) to issue open redirects.

This vulnerability affects any site which has enabled the CiviCRM Profile system (regardless of whether advanced settings are used), but it does not affect sites which restrict access to profiles.

Security Risk
Critical
Vulnerability
Access Bypass
Open Redirect
Affected Versions
  • CiviCRM v4.4.5 and earlier
  • CiviCRM v4.2.16 and earlier
Fixed Versions
  • CiviCRM v4.4.6
  • CiviCRM v4.2.17
Solutions

Any ONE of the following solutions will provide protection:

  • Upgrade to CiviCRM 4.4.6+ or 4.2.17+
  • Deny public access to the profile system. Depending on your system configuration, this might mean disabling the permissions ("profile listings and forms", "profile create", "profile edit") or disabling profile ACLs.
Credits

Jim Meehan (Bay Area Children's Theatre)

Tim Otten (CiviCRM LLC)