CIVI-SA-2019-15: XSS via forged MIME type

Published
2019-05-15 09:00
Written by

In CiviCRM systems which accept file attachments, a malicious user could perform a cross-site scripting attack. This attack involved accessing the "civicrm/file" path with a forged value in the parameter "&mime-type=...".

The solution involved a few subtle changes in the public-facing contract for "civicrm/file". If you have a customization which relies on this route, you may want to consider the details:

  1. For typical attachment URLs ("civicrm/file?id=..."), the "mime-type" parameter is now ignored. The MIME type is determined from a more definitive source. (This is effectively equivalent to the old behavior, except that the type cannot be overriden.)
  2. For some atypical attachment URLs ("civicrm/file?path=...&mime-type=..." - most commonly used with profile-images), the MIME type may not be definitively available. To prevent abuse, these requests are subject to additional checks:

    • The MIME type and the file's extension must be commonly known to agree with each other. (For example, the MIME type "image/jpeg" agrees with the file extensions ".jpg" and ".jpeg" but not ".txt".)
    • The MIME type must be in a white-list. The default white-list includes only common image types. To customize the whitelist, an administrator must modify the hidden setting "requestableMimeTypes".

 

Security Risk
Moderately Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM versions 5.13.0 and earlier

Fixed Versions

CiviCRM version 5.13.4 and 5.7.6

Solutions

Upgrade to the latest version of CiviCRM

Credits

Tim Otten of CiviCRM and Patrick Figel of Greenpeace for identifying the issue 

Seamus Lee of Australian Greens and Tim Otten of CiviCRM for fixing the issue 

References

security/core#54