Security Risk: 
Less Critical
Affected Versions: 

CiviCRM v4.3.4 and all previous versions

Fixed Versions: 

CiviCRM v4.3.5

Publication Date: 
Monday, July 8, 2013

CiviCRM communicates with multiple payment-processing services via SSL. In order to establish the remote payment-processing service is authentic, the SSL certificate it provides must be verified.

The following payment processors included in CiviCRM contained code which disabled verification of the certificate hostname (CURLOPT_SSL_VERIFYHOST).

  • Elavon
  • FirstData
  • Google
  • Paypal
  • Payflow
  • PaymentExpress

Note: This vulnerability can only be exploited by an attacker who is positioned to actively manipulate Internet traffic as it passes between one's web-server and one's payment-processor.


Any ONE of the following solutions will provide protection:

  • Upgrade to CiviCRM 4.3.5+
  • Manually apply the fix to your payment processor.

Manually correcting your payment processor:

If you are unable to upgrade to 4.3.5, this is a simple modification to make to your current payment processor. Identify the code in your payment processor file(s) which sets CURLOPT_SSL_VERIFYHOST to 0 or FALSE, and either

  • remove the line entirely (restoring the default value of 2), or
  • explicitly set the value to 2

Sites running non-core payment processors (either published CiviCRM extensions or local custom code) are encouraged to review their own payment processors. If you identify a similar vulnerability in a CiviCRM extension, please report it to the CiviCRM team immediately.

  • Andrew McNaughton
  • Tim Otten (CiviCRM LLC)
  • Kevin McArthur