Security Advisories

CiviCRM includes the dompdf library for generating PDF documents. The dompdf library includes a standalone utility script, "dompdf.php"; old versions of the script are vulnerable to an arbitrary file access issue when the system is configured with option "DOMPDF_ENABLE_REMOTE".

CiviCase functionality includes several urls which allow a user to view and edit a limited amount of case info. Some of these urls were not adequately checking permissions and could be used by any user with "Access CiviCRM" permission.

This problem only affects sites using the CiviCase component. It is mitigated by the fact that the user must have "Access CiviCRM," a permission not normally granted to untrusted users.

CiviCRM Access Control Lists (ACLs) allow site administrators to grant or revoke access to specifics groups/contacts. In CiviCRM 4.4.x, any staff user with access to the "Export" functionality could bypass the ACLs.

CiviCRM uses AJAX callbacks to provide advisory details while completing certain forms. For example, when registering a new user through a profile form, CiviCRM issues an AJAX request to determine whether the username is available.

Some AJAX callbacks did not test for authorization, enabling untrusted parties to:

• Determine whether a username was in-use
• Determine the primary email address for a given contact ID
• Determine the list of available options in certain custom-field

The CiviCRM Profile subsystem allows administrators to design customized forms. The subsystem includes some advanced workflow settings which are not securely handled. By submitting a custom-crafted form to the Profile subsystem, an attacker may manipulate these settings. This vulnerability can be leveraged to acquire escalated privileges and (possibly) to issue open redirects.

A small number of CiviCRM entry points had faulty permission checks. This could allow hackers, under certain circumstances, to view basic contact information such as name, email, phone, or address for contacts in the database.

The risk is limited to viewing basic contact information - it does not include contributions, memberships, passwords or other data. It does not give hackers the ability to login or make changes to the database.

All sites are advised to upgrade immediately to avoid the potential risk.

In its default configuration, CiviCRM places some uploaded and server-generated data in the CMS's data folder (such as Drupal's "sites/default/files" or Joomla's "media"). This folder is web-accessible, but many of the documents processed by CiviCRM should not be web-accessible. If CiviCRM's data folders are not suitably protected from web access, then sensitive information may be disclosed.

The CiviCRM API provides programmatic access to CiviCRM. Multiple APIs were vulnerable to SQL injection attacks.

The potential to exploit these vulnerabilities is limited by multiple factors:

SQL injection vulnerability, multiple vectors.

CiviCRM v3.3 introduced the extensions directory which retrieves extension listings and extension code via HTTP, and v4.3 introduced a new dashboard feed which displays news and updates retrieved from CiviCRM.org. Before v4.3.5 these were retrieved over an unencrypted channel, which raises the possibility of an attacker injecting malicious code via a "man in the middle" (MITM) attack.

In version v4.3.5+, this data will be retrieved over SSL, which will reduce the potential for malicious content injection.

CiviCRM communicates with multiple payment-processing services via SSL. In order to establish the remote payment-processing service is authentic, the SSL certificate it provides must be verified.

The following payment processors included in CiviCRM contained code which disabled verification of the certificate hostname (CURLOPT_SSL_VERIFYHOST).

html2text is a library which converts HTML documents to plain-text documents. CiviMail uses html2text to convert HTML email messages to plain-text email messages. A bug in the processing of certain HTML tags causes html2text to evaluate PHP code from the HTML document. Any authenticated staff user with permission to send email (e.g. permission "access CiviMail") can therefore execute PHP code.

This vulnerability is mitigated by the following factors:

Smarty is a template library responsible for composing web-page output in CiviCRM. If Smarty encounters an internal processing error (such as an unknown template-file or unknown template-function), then it outputs an error message. In Smarty 2.6.26 and earlier, the error message is not properly escaped and (in combination with other, unidentified flaws) may provide a vector for a cross-site scripting attack. The issue is resolved in Smarty 2.6.27 and CiviCRM 4.3.4.

The "Quick Search" bar in CiviCRM v4.3 includes a backend for processing search requests which is split in two layers. Both layers may be accessed remotely by backend users with permission "access CiviCRM." A malicious user may bypass one layer (which performs SQL validation/escaping) and call the second layer directly (thus bypassing SQL validation/escaping).

Note: The scope of the SQL injection is limited compared to a typical SQL injection because CiviCRM's SQL API does not accept SQL queries with multiple statements. Consequently:

CiviCRM v2+ includes a "Custom Search" system which allows administrators to register customized search forms and includes some default custom-searches (e.g. "Find Contribution Amounts by Tag"). CiviCRM also supports role-based access controls using permissions like "access CiviContribute" or "access CiviEvent". For the default custom-searches, CiviCRM does not enforce the expected role-based access controls.

OpenFlashChart is a library used to render dashboards and reports in CiviCRM v3+. The library includes a program written for Adobe Flash which accepts data via query string. The data is not properly sanitisized. If an attacker provides an authorized user with a maliciously constructed link, the attacker can cause the user to execute arbitrary JavaScript code.

Note: This document is being published in June 2013 to conform with our new disclosure format. However, the issue was previously disclosed in detail in a civicrm.org blog-post (April 2013) and in summary in a civicrm.org release-announcement (Nov 2012).