Security Risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting
Affected Versions: 

CiviCRM versions 5.13.0 and earlier

Fixed Versions: 

CiviCRM version 5.13.4 and 5.7.6

Publication Date: 
Wednesday, May 15, 2019
Description: 

In CiviCRM systems which accept file attachments, a malicious user could perform a cross-site scripting attack. This attack involved accessing the "civicrm/file" path with a forged value in the parameter "&mime-type=...".

The solution involved a few subtle changes in the public-facing contract for "civicrm/file". If you have a customization which relies on this route, you may want to consider the details:

  1. For typical attachment URLs ("civicrm/file?id=..."), the "mime-type" parameter is now ignored. The MIME type is determined from a more definitive source. (This is effectively equivalent to the old behavior, except that the type cannot be overriden.)
  2. For some atypical attachment URLs ("civicrm/file?path=...&mime-type=..." - most commonly used with profile-images), the MIME type may not be definitively available. To prevent abuse, these requests are subject to additional checks:

    • The MIME type and the file's extension must be commonly known to agree with each other. (For example, the MIME type "image/jpeg" agrees with the file extensions ".jpg" and ".jpeg" but not ".txt".)
    • The MIME type must be in a white-list. The default white-list includes only common image types. To customize the whitelist, an administrator must modify the hidden setting "requestableMimeTypes".

 

Solutions: 

Upgrade to the latest version of CiviCRM

Credits: 

Tim Otten of CiviCRM and Patrick Figel of Greenpeace for identifying the issue 

Seamus Lee of Australian Greens and Tim Otten of CiviCRM for fixing the issue 

References: 

security/core#54