Security Risk: 
Critical
Vulnerability: 
Access Bypass
Information Disclosure
Affected Versions: 

CiviCRM v4.5.0 - v4.5.6

CiviCRM v4.4.0 - v4.4.12

CiviCRM v3.4 - v4.3 are not vulnerable by default but could be configured to be vulnerable.

Fixed Versions: 

CiviCRM v4.5.7+, v4.4.13+

Publication Date: 
Wednesday, March 4, 2015
Description: 

CiviCRM includes the dompdf library for generating PDF documents. The dompdf library includes a standalone utility script, "dompdf.php"; old versions of the script are vulnerable to an arbitrary file access issue when the system is configured with option "DOMPDF_ENABLE_REMOTE".

(Note: The original upstream advisory from the dompdf project indicates that option "DOMPDF_ENABLE_PHP" must also be enabled to exploit this vulnerability. This option appears to have no affect on the vulnerability in the version of "dompdf.php" that shipped with CiviCRM. The option is disabled by default in CiviCRM.)

Solutions: 

Any ONE of the following is adequate to protect against the vulnerability:

  • Upgrade to CiviCRM 4.5.7+ or 4.4.13+
  • Delete the file packages/dompdf/dompdf.php
  • In the file packages/dompdf/dompdf_config.inc.php, set define("DOMPDF_ENABLE_REMOTE", false). (NOTE: If you generate PDF documents which include images, disabling this option may break image-handling.)
Credits: 
  • Alejo Murillo Moya
  • Neil Drumm (drupal.org)
  • Tim Otten (civicrm.org)
  • Nicolas Ganivet (cividesk.com)
CVE: 
CVE-2014-2383