CIVI-SA-2020-03: PHP Code Execution via Phar Deserialization

Published
2020-04-15 12:00
Written by

Backend users may be able to upload and execute a maliciously crafted "PHAR" file.

The "PharExtensionInterceptor" library from Typo3 addresses this problem. Many projects - including current Drupal and Joomla releases - already activate this protection and are already secure. However, some environments - such as WordPress - do not have it. This update extends the protection all CiviCRM-supported environments.

Security Risk
Critical
Vulnerability
Arbitrary PHP Code Execution
Affected Versions

CiviCRM version 5.24.2 and earlier

Fixed Versions

CiviCRM version 5.24.3 and 5.21.3

Publication Date
Solutions

Upgrade to the latest version of CIviCRM

Credits

Patrick Figel (Greenpeace CEE), Dennis Brinkrolf (RIPS Technologies) , and Seamus Lee (JMA Consulting/CiviCRM) for reporting the issue
Patrick Figel (Greenpeace CEE), Seamus Lee (JMA Consulting/CiviCRM), Kevin Cristiano (Tadpole Collective), Tim Otten (CiviCRM), and Rich Lott (Artful Robot) for resolving the issue

References

security/core#60
security/core#75