CIVI-SA-2019-21: PHP Object Injection via Saved Search and Report Instance APIs

Both the "SavedSearch" and "ReportInstance" APIs accept certain inputs using "serialized" PHP notation. Accepting untrusted values in this notation leads to a "PHP Object Injection" (POI) vulnerability - which can potentially escalate to an "Arbitary Code Execution" vulnerability.

The APIs now accept a restricted subset of "serialized" notation - the APIs will only accept basic data (arrays, strings, numbers, etc). This prohibits PHP object construction and retains backward compatibility with typical API inputs.

Security Risk

Critical

Vulnerability

Arbitrary PHP Code Execution

Affected Versions

CiviCRM before 5.19.2 and before 5.13.7

Fixed Versions

CiviCRM 5.19.2 and 5.13.7

Solutions

Upgrade to the latest version of CiviCRM

Credits

Patrick Figel of Greenpeace CEE for reporting the issue

Seamus Lee of Australian Greens, Patrick Figel of Greenpeace CEE and Tim Otten of CiviCRM for fixing the issue

References

security/core#46

CIVI-SA-2019-21: PHP Object Injection via Saved Search and Report Instance APIs

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2019-21: PHP Object Injection via Saved Search and Report Instance APIs

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM