Details
-
Type:
Security Advisory
-
Status: Done/Fixed
-
Priority:
Trivial
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.7.18, 4.6.27
-
Component/s: Core CiviCRM
-
Security Level: Security - Published
-
Labels:None
-
Versioning Impact:Patch (backwards-compatible bug fixes)
-
Documentation Required?:None
-
Funding Source:Core Team Funds
-
Verified?:Yes
Description
At https://github.com/civicrm/civicrm-core/blob/master/CRM/Utils/VersionCheck.php#L73 the default URL for latest.civicrm.org is defined over http rather than https.
This is an issue since sensitive information is transmitted when this URL is called, including OS, database and CiviCRM versions ; number of contacts, contributions, memberships in the database ; list of enabled extensions ; and many other such metrics.
Exploitation would require tapping the call from the CiviCRM instance to the civicrm.org infrastructure. so would only be within the reach of governmental entities. But that would be an issue for any organization subject to being monitored by their own or a foreign government.
The fix is trivial, and the back-end infrastructure is ready for the move (ie. vhost defined over https, certificate in place and monitored).