CIVI-SA-2013-007 - SSL verification bypass

2013-07-07 15:44
Written by

CiviCRM communicates with multiple payment-processing services via SSL. In order to establish the remote payment-processing service is authentic, the SSL certificate it provides must be verified.

The following payment processors included in CiviCRM contained code which disabled verification of the certificate hostname (CURLOPT_SSL_VERIFYHOST).

  • Elavon
  • FirstData
  • Google
  • Paypal
  • Payflow
  • PaymentExpress

Note: This vulnerability can only be exploited by an attacker who is positioned to actively manipulate Internet traffic as it passes between one's web-server and one's payment-processor.

Security Risk
Less Critical
Affected Versions

CiviCRM v4.3.4 and all previous versions

Fixed Versions

CiviCRM v4.3.5


Any ONE of the following solutions will provide protection:

  • Upgrade to CiviCRM 4.3.5+
  • Manually apply the fix to your payment processor.

Manually correcting your payment processor:

If you are unable to upgrade to 4.3.5, this is a simple modification to make to your current payment processor. Identify the code in your payment processor file(s) which sets CURLOPT_SSL_VERIFYHOST to 0 or FALSE, and either

  • remove the line entirely (restoring the default value of 2), or
  • explicitly set the value to 2

Sites running non-core payment processors (either published CiviCRM extensions or local custom code) are encouraged to review their own payment processors. If you identify a similar vulnerability in a CiviCRM extension, please report it to the CiviCRM team immediately.

  • Andrew McNaughton
  • Tim Otten (CiviCRM LLC)
  • Kevin McArthur