CIVI-SA-2016-17: Manage CSRF overrides for external profile forms

2016-08-31 20:52
Written by
totten - member of the CiviCRM community - view blog guidelines

CiviCRM allows administrators to define custom profile-forms in which constituents enter their names, addresses, custom data, etc. CiviCRM is designed to embed all its forms within a CMS (such as Drupal, Joomla, or WordPress), but some administrators also need to embed profile-forms in an external site or custom HTML document. This has sometimes been accomplished with an "HTML Snippet" technique -- the bare, literal HTML code for a profile-form is manually copied and pasted to an external web site.

Unfortunately, this technique is incompatible with the "qfKey" security feature which prevents cross-site request forgery. Profile-forms had the "qfKey" security feature disabled. This constitutes a functionality-vs-security trade-off that some have found acceptable, but it is not appropriate or necessary for all organizations.

Beginning with 4.7.11+ and 4.6.21+, this compromise is no longer necessary -- the "qfKey" enforcement is now available but optional. Specifically:

  • New CiviCRM installations will enable "qfKey" security for profiles by default. This is a more secure default that works for the majority of organizations.
  • Existing CiviCRM installations will disable "qfKey" security for profiles by default. This is a more compatible default that ensures that existing customizations continue to work.
  • When administrators review CiviCRM's self-diagnosis for potential security issues, it will display a warning if you have disabled "qfKey".

In 4.7.11+/4.6.21+, you can toggle this option by:

  • Navigating to "Administer => System Settings => Misc"
  • (OR) Modifying the setting "remote_profile_submissions"
Security Risk
Cross Site Request Forgery
Affected Versions

Up through v4.6.20 and v4.7.10


Fixed Versions

v4.6.21+ and v4.7.11+



Any ONE of the following:

  • Upgrade to CiviCRM v4.7.11+ or v4.6.21+
  • Backport PR #8925 and #8946 (or: #8931 + #8947)

Additionally, if your system has used the "HTML Snippet" technique, then you should evaluate measures such as:

  • Configure HTTP firewalling to prevent POSTs to CiviCRM from unrecognized referrers
  • Replace the "HTML Snippet" with a custom integration that uses a more secure data-flow based on APIv3 and REST.
  • Lateral Security
  • Pradeep Nayak (JMA Consulting)
  • Chris Burgess (Fuzion)
  • Tim Otten (CiviCRM)
  • Seamus Lee (Australian Greens)