Details
-
Type:
Security Advisory
-
Status: Won't Do
-
Priority:
Major
-
Resolution: Won't Do
-
Affects Version/s: 4.7.13
-
Fix Version/s: Unscheduled
-
Component/s: CiviCRM API
-
Labels:
-
Versioning Impact:Patch (backwards-compatible bug fixes)
-
Documentation Required?:None
-
Funding Source:Needs Funding
-
Verified?:Yes
Description
I admit, I may have something mis-configured, but if I do, I believe it's probably a common mis-configuration.
In CiviCRM, I have Force Secure URLs (SSL) in Resource URL's set to Yes. Additionally, I have in my httpd.conf:
RewriteCond %{HTTPS} Off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Header add Strict-Transport-Security "max-age=15768000"
This works as expected most of the time, forcing all connections to HTTPS. However, as this is a dev site, I'm using a self-signed certificate and was having trouble using the Pentaho Data Integrator CiviCRM Input and CiviCRM Output plugins. Out of frustration, I removed the s from the address bar. I was rather surprised when the entity list returned, and then a bit concerned when I was shown the data. Firing up Wireshark shows the data flowing back and forth over http connections, not https connections, and is readable plain text data.
I am unsure of how to follow up additional testing.
CentOS release 6.8 (Final)
httpd -ver
Server version: Apache/2.2.15 (Unix)
Server built: Jul 18 2016 15:24:00
php -v
PHP 5.4.40 (cli) (built: Aug 30 2016 13:52:21)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies
with Zend OPcache v7.0.4, Copyright (c) 1999-2014, by Zend Technologies
yum list *php
Installed Packages
php54-php.x86_64 5.4.40-4.el6 @centos-sclo-rh
WordPress Version 4.6.1
CiviCRM 4.7.13