CiviCRM's qfKey protects against cross-site request-forgery (CSRF) attacks. The handling of the qfKey is weaker than expected.
Upgrade Note: The update changes the representation of the qfKey. If you apply the update at the same time that an active user is working with a web form, then the user may temporarily retain an old (invalid) qfKey. Their next form-submission may fail. However, this is quickly resolve by reloading the form (or navigating to any other form).
In Depth: The weakness can be described in terms of entropy. The design of qfKey suggests 128-256 bits of entropy, but the effective entropy is closer to 64 bits. As a general rule, 64 bits is considered weak for modern cryptography. For the specific purpose of CSRF defenses, it may be sufficient. Regardless, this update takes the safe approach and increases the entropy to a full 256-bits.
CiviCRM 6.4.0 and earlier
CiviCRM versions 6.4.1, 6.5.0, and 5.81.4 (ESR)
Any ONE of the following is sufficient:
- Upgrade to a fixed version of CiviCRM, or...
- Do nothing. The existing
qfKeyis weak, but (on its own) the weakness is difficult to exploit.
Sjoerd Langkemper
Tim Otten (CiviCRM)
Seamus Lee (JMA Consulting)
security/core#140
