Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-14856

Always load profile settings from database

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Critical
          • Resolution: Fixed/Completed
          • Affects Version/s: 4.2.16, 4.4.5
          • Fix Version/s: 4.2.17, 4.4.6
          • Component/s: CiviCRM Profile
          • Security Level: Security - Published
          • Labels:
            None

            Description

            Some advanced settings for CiviCRM profiles – such as post_URL and cancel_URL – are exported at runtime to an HTML FORM, returned in a POST-back, and then evaluated. This allows untrusted parties to manipulate their content.

            To resolve this issue, we should update the profile-handling code to always load settings from the database.

              Attachments

                Activity

                  People

                  • Assignee:
                    xurizaemon Chris Burgess
                    Reporter:
                    timotten Tim Otten
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    2 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: