CIVI-SA-2015-003 - Persistent XSS in Drupal watchdog integration

2015-02-28 22:02
Written by

By default, CiviCRM records log entries in a flat text file. Optionally, log entries may be directed to Drupal's watchdog() service. If this option is enabled, and if a log entry includes user-supplied data, the user-supplied data may not be correctly encoded. When an administrator browses the log entries, they may be exposed to a cross-site scripting attack.

Security Risk
Moderately Critical
Cross Site Scripting
Affected Versions

CiviCRM v4.5.0 - v4.5.6

CiviCRM v4.4.0 - v4.4.12

CiviCRM v4.3.0 - v4.3.10

CiviCRM v4.2.0 - v4.2.19

(Older versions: Unassessed)


Fixed Versions

CiviCRM v4.5.7+, v4.4.13+, v4.3.11+, and v4.2.20+



Any ONE of the following should provide forward protection:

  • Upgrade to CiviCRM v4.5.7+, v4.4.13+, v4.3.11+, or v4.2.20+
  • In "Administer => System Settings => Debugging and Error Handling", disable the integration with Drupal watchdog.

Additionally, you may want to protect against malicious log entries that could have been created before, e.g.

  • Make an archival backup of the Drupal watchdog table (e.g. "mysqldump DRUPALDB watchdog > /var/backups/old_watchdog.sql") and then truncate the table (in MySQL "TRUNCATE watchdog"). If you need to access the old watchdog records, review the old_watchdog.sql.
  • Search the table for any messages that include markup and review them for safety (e.g. "SELECT * FROM watchdog WHERE message LIKE '%<%'"). Delete or clean suspicious records.
  • John Prescott and David Knoll (Future First)
  • Eileen McNaughton and Chris Burgess (Fuzion)