Security Risk: 
Moderately Critical
Vulnerability: 
Arbitrary PHP Code Execution
Affected Versions: 

CiviCRM v1.6.0 - v4.2.9, v4.3.0 - v4.3.3

Fixed Versions: 

CiviCRM v4.2.10 and v4.3.4

Publication Date: 
Monday, June 10, 2013
Description: 

html2text is a library which converts HTML documents to plain-text documents. CiviMail uses html2text to convert HTML email messages to plain-text email messages. A bug in the processing of certain HTML tags causes html2text to evaluate PHP code from the HTML document. Any authenticated staff user with permission to send email (e.g. permission "access CiviMail") can therefore execute PHP code.

This vulnerability is mitigated by the following factors:

  • The vulnerability requires permission to send email through the CiviCRM backend.
  • The interfaces for composing HTML email messages are protected against cross-site request forgery; therefore, exploiting this vulnerability requires user interaction.
  • All form submissions are heuristically checked for suspicious inputs (such as embedded PHP or JavaScript) using PHPIDS.
  • Email text generated via token (e.g. "{contact.first_name}") is not evaluated with html2text; therefore, untrusted contact data (such as "first name" or "last name") cannot be used as a vector of attack.
Solutions: 

Any ONE of the following solutions will provide protection:

  • Upgrade to CiviCRM 4.2.10+ or 4.3.4+
  • Manually upgrade "packages/html2text" (as below)

How to Manually Upgrade "packages/html2text"

  1. Remove the file "packages/html2text/class.html2text.inc"
  2. Download "https://raw.github.com/civicrm/civicrm-packages/4.3/html2text/rcube_html..." and place it in "packages/html2text/rcube_html2text.php"
  3. Patch "CRM/Utils/String.php" with revision 7a999ea
Credits: 
  • Neil Drumm
  • Donald Lobo (CiviCRM LLC)
  • Aleksander Machniak (Roundcube)
CVE: 
CVE-2008-5619