The development tree for CiviCRM includes a handful of utility scripts in the folders "sql/" and "tools/". These scripts may manipulate data (e.g. generating fake contact records), and they lacked guards to protect from remote/malicious use.
This issue does not affect most deployments which use the standard CiviCRM releases ("*.tar.gz" or "*.zip"). The issue primarily affects developmental/testing systems or highly-customized deployments which directly read from CiviCRM's source code-management system ("git").
CiviCRM versions 5.35.0 and earlier, if deployed directly from git
CiviCRM version 5.35.1 and ESR version 5.33.3
Any ONE of these would be sufficient:
-
Deploy with a standard CiviCRM tarball (instead of using "git")
-
Upgrade to the latest version of CiviCRM
-
Delete or block remote access to any *.php files in the "civicrm/sql/" or "civicrm/tools" folder
Tim Otten of CiviCRM Core for reporting the issue
Seamus Lee of JMA Consulting / CiviCRM Core and Rich Lott of Artfulrobot for fixing the issue
Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH for funding the fix
security/core#97