Note: This document is being published in June 2013 to conform with our new disclosure format. However, the issue was previously disclosed in detail in a civicrm.org blog-post (April 2013) and in summary in a civicrm.org release-announcement (Nov 2012).
OpenFlashChart is a PHP library used to render dashboards and reports in CiviCRM v3+. The OpenFlashChart source code includes various example files, and one of those example files allows remote, unauthenticated users to upload files. If an attacker uploads an executable file (such as a PHP or CGI file), then he can seriously compromise the site's security.
CiviCRM v4.2.6+ are secure against this vulnerability, but some upgraded installations may still be vulnerable if the upgrade was misapplied. As a precaution, we encourage all administrators to determine if their installation is vulnerable (see below).
To verify whether a site is vulnerable, look in the "civicrm" source tree for the file "packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php" . If the file exists, then you should proceed with preventing and identifying attacks.
CiviCRM v3.1.0 - v4.2.5
Prevent Attacks: Delete the Vulnerable File
The simplest, most direct way to prevent attackers from exploiting this vulnerability is to delete the vulnerable file. Within the "civicrm" directory tree, the file is called:
This file was deleted in CiviCRM v4.2.6+. If you are running an older version you should immediately delete this file.
Prevent Attacks: Don't allow web-server to create & execute a file
System administrators can help prevent similar attacks in the future by ensuring that the web server user (e.g. "www-data" or "apache") cannot create files in the source-code directory; or, similarly, by ensuring that any files written by the web-server cannot be later executed by the web-server. The implementation details vary among hosting environments (with different operating systems, web servers, usernames, customized paths, etc.), but the following is a common formulation:
- The source tree for CiviCRM, Drupal, etal should not be owned by the web user or web group (e.g. "www-data" or "apache").
- The source tree should not allow writing by the web user or group (e.g. "www-data" or "apache").
- The data file directory (e.g. Drupal's "sites/default/files") should not allow remote users to execute PHP files. In many Drupal installs, this is prevented automaticaly because the .htaccess includes "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006" and "Options None".
This is a general preventive policy but comes with some trade-offs -- e.g. it restricts both administrators and attackers, and some administrators may not be able to lock down all folders. Not-with-standing these caveats, the central point remains: the more you can lock down folders, the better.
If you administer a site which has been vulnerable to this issue, then you should search your HTTP request logs for past requests matching "packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php". If none found, then you're probably ok.
- Jeffrey Lyon, et al
- CiviCRM LLC