Published
2013-06-06 09:54
html2text is a library which converts HTML documents to plain-text documents. CiviMail uses html2text to convert HTML email messages to plain-text email messages. A bug in the processing of certain HTML tags causes html2text to evaluate PHP code from the HTML document. Any authenticated staff user with permission to send email (e.g. permission "access CiviMail") can therefore execute PHP code.
This vulnerability is mitigated by the following factors:
- The vulnerability requires permission to send email through the CiviCRM backend.
- The interfaces for composing HTML email messages are protected against cross-site request forgery; therefore, exploiting this vulnerability requires user interaction.
- All form submissions are heuristically checked for suspicious inputs (such as embedded PHP or JavaScript) using PHPIDS.
- Email text generated via token (e.g. "{contact.first_name}") is not evaluated with html2text; therefore, untrusted contact data (such as "first name" or "last name") cannot be used as a vector of attack.
Security Risk
Moderately Critical
Vulnerability
Arbitrary PHP Code Execution
Affected Versions
CiviCRM v1.6.0 - v4.2.9, v4.3.0 - v4.3.3
Fixed Versions
CiviCRM v4.2.10 and v4.3.4
Solutions
Any ONE of the following solutions will provide protection:
- Upgrade to CiviCRM 4.2.10+ or 4.3.4+
- Manually upgrade "packages/html2text" (as below)
How to Manually Upgrade "packages/html2text"
- Remove the file "packages/html2text/class.html2text.inc"
- Download "https://raw.github.com/civicrm/civicrm-packages/4.3/html2text/rcube_html2text.php" and place it in "packages/html2text/rcube_html2text.php"
- Patch "CRM/Utils/String.php" with revision 7a999ea
Credits
- Neil Drumm
- Donald Lobo (CiviCRM LLC)
- Aleksander Machniak (Roundcube)
References
CVE
CVE-2008-5619
