CIVI-SA-2016-05: Privilege escalation by backend users

Opublikowane
2016-02-29 12:38
Written by

In some configurations, a malicious backend user may be able to impersonate another backend user. Some conditions must be met to be exploitable:

  • The malicious backend user must already have write-access to the target user's contact record.
  • The malicious backend user must know the CIVICRM_SITE_KEY.
Security Risk
Less Critical
Vulnerability
Access Bypass
Affected Versions

Up through v4.6.13 and v4.7.2

Fixed Versions

v4.6.14+ and v4.7.3+

Solutions

Any ONE of the following:

  • Upgrade to CiviCRM v4.6.14+ or v4.7.3+.
  • Apply the patch from https://github.com/civicrm/civicrm-core/pull/7888

Optionally, if the intent of your security policy is to allow non-administrators to create API keys for themselves or for others, then grant permissions "edit own api keys" or "edit api keys" (respectively).

Credits
  • Xavier Dutoit (Tech to the People)
  • Tim Otten (CiviCRM)