CiviCRM v3.3 introduced the extensions directory which retrieves extension listings and extension code via HTTP, and v4.3 introduced a new dashboard feed which displays news and updates retrieved from CiviCRM.org. Before v4.3.5 these were retrieved over an unencrypted channel, which raises the possibility of an attacker injecting malicious code via a "man in the middle" (MITM) attack.
In version v4.3.5+, this data will be retrieved over SSL, which will reduce the potential for malicious content injection.
Note: This vulnerability can only be exploited by an attacker who is positioned to actively manipulate Internet traffic as it passes between one's web-server and civicrm.org.
CiviCRM v3.3 - v4.3.4
Any ONE of the following solutions will provide protection:
- Upgrade to CiviCRM v4.3.5+.
- (For sites running CiviCRM v4.2.x) Disable download of new extensions. (Note: The other vulnerabilities in this advisory do not apply to CiviCRM v4.2.x.)
- (For sites running CiviCRM v4.1.x or earlier) Refrain from downloading extensions through the web interface. (Note: The other vulnerabilities in this advisory do not apply to CiviCRM v4.1.x or earlier.)
- Jamie McClelland (Progressive Technology Project)
- Tim Otten (CiviCRM LLC)
- Coleman Watts (CiviCRM LLC)