Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-1909

direct call to ajax.php bypasses ACLs, authentication

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Major
          • Resolution: Fixed/Completed
          • Affects Version/s: 1.7
          • Fix Version/s: 1.8
          • Component/s: Core CiviCRM
          • Labels:
            None

            Description

            Our site allows only authenticated users to access information about the individuals in the system. But using the same query used by the auto-complete of the search box, I was able to dump a list of contacts in the system.

            To reproduce:

            wget "http://example.org/sites/all/modules/civicrm/extern/ajax.php?q=civicrm/search&d=1&s=t"

            will return all contacts starting by the letter T, will not check authentication nor ACLs.

            mathieu, "bgm" on irc in #civicrm.

              Attachments

                Activity

                  People

                  • Assignee:
                    sunil Sunil Pawar
                    Reporter:
                    mlutfy Mathieu Lutfy
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    0 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: