CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • General Discussion (please no support requests here!) (Moderator: Michał Mach) »
  • Possible security risk?
Pages: [1]

Author Topic: Possible security risk?  (Read 7754 times)

doronesk

  • I’m new here
  • *
  • Posts: 1
  • Karma: 0
  • CiviCRM version: 4.2.2
  • CMS version: Drupal 7.15
  • MySQL version: 5.5.27
  • PHP version: 5.3.17
Possible security risk?
December 19, 2012, 09:03:09 am
I recently used a Global Technologies' website security scan service to scan a CiviCRM site.   I received a report detailing one extremely high security risk and 7 high security risks related to CiviCRM.   I am running CiviCRM 4.2.2 on Drupal 7.15

The extremely high security issue has to do with Server side XML injection vector and the actual message is:
Scan Message: responses for \x3csfish\x3e\x3c/sfish\x3e and \x3c/sfish\x3e\x3csfish\x3e look different

Can anyone help me shed some more light on this?

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Possible security risk?
December 19, 2012, 09:11:52 am

can you please share the complete report with:

security@civicrm.org

we'll probably have more questions that you might need to ask global technologies. We can handle the followup via email (since these are security issues potentially)

thanx

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

Hershel

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4640
  • Karma: 176
    • CiviHosting
  • CiviCRM version: Latest
  • CMS version: Mostly WordPress and Drupal
Re: Possible security risk?
December 20, 2012, 04:48:13 am
If the results are that even some of Global Technologies' "issues" aren't real, please let us know here also.

Thank you.
CiviHosting and CiviOnline -- The CiviCRM hosting experts, since 2007

See here for the official: What to do if you think you've found a bug.

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Possible security risk?
December 20, 2012, 07:59:58 am

We've done a preliminary analysis of the global technologies issues.

So far most of them are not real. There is one issue which we dont understand and have asked for more clarificcation

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

Hershel

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4640
  • Karma: 176
    • CiviHosting
  • CiviCRM version: Latest
  • CMS version: Mostly WordPress and Drupal
Re: Possible security risk?
December 20, 2012, 08:03:03 am
Quote from: Donald Lobo on December 20, 2012, 07:59:58 am
So far most of them are not real.

That's what I thought.

I have been dealing with, not related to this, a PCI Compliance scan company whose scan contains completely bogus security "issues." I had to email them repeatedly, and then request that a manager review my emails, before they finally realized that I was right.
CiviHosting and CiviOnline -- The CiviCRM hosting experts, since 2007

See here for the official: What to do if you think you've found a bug.
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • General Discussion (please no support requests here!) (Moderator: Michał Mach) »
  • Possible security risk?

This forum was archived on 2017-11-26.