CIVI-SA-2021-02: Web Executable Utility Scripts

2021-03-09 09:00
Written by

The development tree for CiviCRM includes a handful of utility scripts in the folders "sql/" and "tools/". These scripts may manipulate data (e.g. generating fake contact records), and they lacked guards to protect from remote/malicious use.

This issue does not affect most deployments which use the standard CiviCRM releases ("*.tar.gz" or "*.zip"). The issue primarily affects developmental/testing systems or highly-customized deployments which directly read from CiviCRM's source code-management system ("git").


Security Risk
Not Critical
Arbitrary PHP Code Execution
Affected Versions

CiviCRM versions 5.35.0 and earlier, if deployed directly from git

Fixed Versions

CiviCRM version 5.35.1 and ESR version 5.33.3

Publication Date

Any ONE of these would be sufficient:

  • Deploy with a standard CiviCRM tarball (instead of using "git")

  • Upgrade to the latest version of CiviCRM

  • Delete or block remote access to any *.php files in the "civicrm/sql/" or "civicrm/tools" folder



Tim Otten of CiviCRM Core for reporting the issue

Seamus Lee of JMA Consulting / CiviCRM Core and Rich Lott of Artfulrobot for fixing the issue

Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH for funding the fix