CIVI-SA-2015-004 - Malicious Smarty file naming

Publicat
2015-03-04 12:05
Written by

The Smarty templating engine includes a defect in which a specially named Smarty template could be used to execute PHP code.

An exploit of this vulnerability in CiviCRM has not been identified. Exploiting it requires that an attacker have permission to set the name and content of a template file; in CiviCRM deployments, this permission is generally only available to system administrators. Never-the-less, it could potentially be combined with other vulnerabilities, and we're issuing a patch as a precaution.

Security Risk
Not Critical
Vulnerability
Other
Affected Versions

CiviCRM v4.5.0 - v4.5.6

CiviCRM v4.4.0 - v4.4.12

CiviCRM v4.3.0 - v4.3.10

CiviCRM v4.2.0 - v4.2.19

Fixed Versions

CiviCRM v4.5.7+, v4.4.13+, v4.3.11+, and v4.2.20+

 

Solutions

Any ONE of the following:

Credits
  • jonieske
  • Uwe Tews
  • Chris Burgess (Fuzion)
References
  • http://www.smarty.net/forums/viewtopic.php?t=18815
  • https://bugs.gentoo.org/show_bug.cgi?id=356615
CVE
CVE-2011-1028