Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Critical
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.2.6
-
Fix Version/s: 4.2.8
-
Component/s: CiviCRM Profile
-
Labels:
Description
Hi.
Here is a security bug :
On Drupal, when a anonymous user (with no special permissions) access :
/civicrm/profile/map?reset=1&pv=0&cid=XX&gid=YY
Where :
XX == any contact_id
YY == a profile with "Enable mapping for this profile?" enabled
This anonymous request give you the mapping of the specified contact including the name and address in the HTML source.
It work even if the the anonymous user does not any rights on that profile (create/view/edit/etc.) or on the contact (view/edit).
As such, any installation with at least one profile with the mapping feature enabled is at risk.
Temporary fix:
Disable mapping for all profile or run: UPDATE civicrm_uf_group SET is_map = 0 WHERE 1